Saw this headline on the InfoSecurity News mailing list today:

“Firms spend only up to 20% of their budget on IT security“

This is one of the more bizarre statements I’ve seen in a long time. It refers to one person’s notion of security spending in the United Arab Emirates. The article interviews representatives from Symantec, McAfee, Trend Micro and Fortinet. Here are some choice excerpts:

Security accounts for only 10 to 20 per cent of overall IT budgets within UAE enterprises – well below global standards.

Emirates Business discussed IT security with Hamed Diab, Regional Director of McAfee Middle East; Johnny Karam, Regional Director of Symantec Mena; Rik Ferguson, Solutions Architect, Emea at Trend Micro and Judhi Prasetyo, Regional Channel Manager at Fortinet Middle East.

How much a share of IT budgets is allocated to security?

Ferguson: According to a recent Forrester report, spending on security was projected to reach 12.6 per cent of total IT spending in 2009, up from 7.2 per cent in 2007 and 11.7 per cent in 2008. Security is projected to account for 18 per cent of new project budgets.

Prasetyo: I would say up to 25 per cent.

Do you think the security spend in the region is on a par with global markets?

Prasetyo: Not yet. Spending on IT security globally can reach 30 to 40 per cent of the whole IT budget, but here it is around 10 to 20 per cent. The highest we have seen is 25 per cent. Most enterprises globally are shifting from computer security threat defence to corporate data protection, which can be seen as an increase in the budget for IT security. I expect the Middle East market to eventually follow the same trend.

I find most of these statements pretty far-fetched and would be interested in any evidence otherwise.