The chief security officer at a midsize manufacturing company in southern New Jersey knows his company needs to better secure its systems. But since they haven't been hacked, he's having trouble justifying security investments to upper management.

Despite worries about cyberterrorism, corporate spies, and malicious worms, many security officers say they're not getting the budgets they need. "The whole cost-cutting atmosphere has hit information-security spending as well," says Lloyd Hession, chief information security officer at Radianz, which runs a network for the financial-services industry. "In many companies, when the budget cuts come down from on high, there's no exception for security. A lot of companies pay lip service to security, but money has never been easy to come up with in our field."

Businesses spent the same or slightly less on security this year compared with last, from 12.4% of their overall IT budget in 2001 to 11.8% this year, according to InformationWeek's 2002 Global Information Security Survey, fielded by PricewaterhouseCoopers. "Security is still a grudge spend," says Steve Crutchley, co-founder of security consulting and services firm 4FrontSecurity.

IT security budgets can be as low as less than 1% in certain industries, such as manufacturing, and up to 12% in the security-conscious financial sector, says Mark Lobel, PricewaterhouseCoopers' senior manager of security services. Although many security officers have trouble procuring the budgets they want, Lobel says it's a promising sign that, on average, security spending as a percentage of the IT budget hasn't dropped significantly.

The chief security officer at the New Jersey manufacturing company, who requested anonymity, has a theory as to why he can't procure the security budget he needs: If the company is hacked, the CEO or CFO isn't accountable--he is. That's why he's trying to figure out ways to educate employees without the necessary budget. For instance, he plans to write his own articles on security awareness for the company newsletter.

Others agree that accountability is a big part of the problem. "Until someone says, 'CEO or CFO, you're directly responsible,' you're not going to see adequate security spending," 4FrontSecurity's Crutchley says. It's one of the reasons the average tenure of a chief security officer is "18 months. They're given heavy responsibility and often little political or budgetary power," he says.

But the manufacturing chief security officer says he's losing the battle for an appropriate security budget. "I requested we add employee security-awareness training and improved antivirus defenses to our budget. Awareness was the first item cut, and I'm still waiting for a response on the antivirus," he says. But this tack is shortsighted because the company would lower its risk of viruses if employees knew not to click on certain types of attachments, he adds. For instance, most employees don't know that when they disconnect their notebooks from the network they're no longer protected by the company's firewall and gateway antivirus software. "So they go home, connect to the Internet, check E-mail, surf around, and get infected, bringing all sorts of nasty things back to the network," he says.

Companies scrimping on security technology, let alone awareness training, are foolish, Lobel says. "Awareness training is one of the areas where you can get the biggest bang for your buck," he says. Most employees aren't aware of good security practices, and most aren't trained to be wary that someone asking for a password and claiming to be from the corporate help desk may be a hacker.