The OWASP Security Spending Benchmarks project have released a report today which contains some very interesting information on security budgets, staffing and spending breakdown.
I enjoyed reading the report because it will allow me to analyse how my employer funds and staffs information security compared to other companies – I don’t recall reading a report like this before.
The main findings from the report were:
Organizations that have suffered a public data breach spend more on security in the development process than those that have not.
Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.
Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training.
38% have a third party firm conduct a security review of outsourced code.
At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).
Just under half of the surveyed organizations have Web application firewalls deployed for at least some of their Web applications.
I suggest that you have a read of the report, it is a another example of the brilliant work done by OWASP volunteers. You can get the PDF report here.