When Tom Scholtz of IT analyst firm Meta Group told an Information Age conference last year that many businesses should be spending as much as 8% of their IT budgets on security products and services by 2005, he was pilloried by some delegates.

“What a load of crap,” was the considered opinion of one IT director. But Scholtz stuck to his guns, and recent surveys of senior IT management around the world by Meta have suggested he was right to do so. Armed with this new information, Meta is now, if anything, even more aggressive on its forecasts for IT security spending. The analyst group says the average security investment will peak at 8% to 12% of IT budgets in the US by 2006, and in Europe and the Asia-Pacific region by 2007. It predicts these budgets will stabilise around 5% to 8% by 2008 in the US, and by 2009 in Europe and Asia-Pacific .

“Information security remains a top-five issue for chief information officers, and the debate regarding appropriate investment levels continues to rage,” says Scholtz.

“Although capturing and benchmarking information security spending is complicated, security teams must model overall investment to track parity with industry peers and account for the cost of satisfying business requirements for managing information risk,” he says.

Meta research indicates that the average information security spending in Global 2000 organisations is currently about 4% of the IT budget, which represents a continuing increase from previous years. In Europe, the rate of increase in security spending has been significantly slower than that witnessed in the US, primarily because of the lower intensity of publicity regarding compliance issues and cyber crime.

The proportion of spend on security is likely to vary from industry to industry.

Scholtz has said in the past that, while heavily regulated financial services companies might invest 8% of their IT budget in security systems, retailers would probably spend only 5% on security and manufacturers only about 3%.