Cigarettes and gambling might no longer be recession-proof, but IT security budgets at large corporations are getting a bigger proportion of the IT spend in 2009, according to a new study from Forrester
Over the next 12 months, about one in five security groups plans to pilot or adopt
The budgets, which follow a jump in 2008 as well, come with a growing awareness on the part of business executives that security is a business risk, the study showed. But getting the backing of the business on security matters and securing adequate funding remain serious challenges for IT groups. And the day-to-day burden of protecting the company? That remains almost exclusively the province of IT at most places, leaving security teams little time for strategic planning.
"Even though people realize that security is important to the business and security is focusing on protecting the data -- both good things -- organizations still have a hard time understanding how much do we spend, where should we spend, what is the right amount to spend and the kind of projects they should be doing," said Forrester analyst Jonathan Penn, lead author of the study.
The findings are based on responses from 942 business, IT and security executives at companies with 1,000 to upwards of 20,000 employees. The survey was conducted in the third quarter of 2008.
While IT budgets are shrinking, security is getting a larger portion of the IT pie. Companies with 1,000 or more employees will devote 12.6% of their IT operating budget to security in 2009, according to the study. That is almost a full percentage point above the 11.7% of the IT budget allocated the year before, which in turn marked a sharp increase over the 7.2% allotted in 2007.
The recognition among business executives of security as a business risk is due partly to a shift in reporting lines. More than half of IT security professionals (54%) polled by Forrester report to either the organization's board and CEO/president or to an executive committee, the survey showed, compared with 28% who report to IT. Despite the organizational alignment between the security group and business, however, security remains an IT-centric job at most organizations.
The survey showed that responsibility for infrastructure security, identity and access management, threat and vulnerability management, regulatory compliance and even physical security, for example, falls primarily or exclusively to IT security groups. Those tactical duties allow little time for broad strategic initiatives, Penn said.
The security strategizing that is done happens without much input from the business and with only tepid support, he said. More than two-thirds of the firms polled (70%) said other organization priorities take precedence over security plans.
"When you look at the challenges, it is surprising to me that despite the reporting lines, there is still this issue of getting enough executive backing for projects," Penn said.
But the disjunction shows just how hard it is for IT people to articulate the value of security investment in a way that business executives understand, he added. "They need to show that this money is going to give the business some kind of return," he said, as a first step in encouraging the business to help set strategy and develop metrics for measuring security ROI.
Full disk encryption hot for 2009
Meantime, IT security strategy has shifted pretty dramatically in the past few years, Penn said, from a focus on threat defense to protecting an organization's data assets. Indeed, data security was the highest priority for 90% of IT security organizations, surpassing threats cited in the past like malware (ranked sixth of 11 security issues) and regulatory compliance (ranked seventh). Application security (86%) and disaster recovery and business continuity (81%) came in second and third on the list.
The focus on data protection represents a "pretty healthy approach" to security, in Penn's view. Rather than following hackers' latest bag of tricks, IT executives are taking an asset-based approach, determining a company's most important data stores and building defenses around them.
"There is a growing recognition that the focus should be on what the attacks are actually doing to business assets, rather than looking at the kind of attack, per se," he said.
The adoption of threat management tools is still greater than endpoint data protection technologies. But investment in data asset protection is definitely accelerating. Full disk encryption leads the client security technology portion of the shopping list, with 22% of respondents saying they plan to pilot or adopt it in the next 12 months.
IAM, managed security services growing
In another notable shift from years past, firms told Forrester that security -- not compliance -- is driving their adoption of identity and access management (IAM) technologies. Although the expense (38%) and complexity (30%) of IAM is a concern, 15% to 21% will pilot or adopt a range of IAM technologies in the next 12 months. In the IAM arsenal, enterprise single sign-on is grabbing the most attention, with 21% of firms planning to pilot or adopt it, followed by provisioning (19%).
There is a growing recognition that the focus should be on what the attacks are actually doing to business assets, rather than looking at the kind of attack, per se.
Jonathan Penn, analyst, Forrester Research Inc.
The survey also showed that large enterprises are increasingly going to managed security services to find specialized skills (29%) and reduce costs (28%). While email/Web content filtering is the most popular managed service today, vulnerability assessment and host event log monitoring/management show the greatest promise for growth in the next 12 months. The percentage of companies planning to outsource these areas would nearly double the percentage already using these services.
"We think of managed security services as something that people turn to just for cost savings," Penn said. "But we are seeing pretty strong adoption of managed security services across both SMBs and enterprises, and a lot of it has to do with the skills shortage. People are unable to find staff with the right skills, or in some cases, don't want people with those skills and find it just as effective to outsource it."
Let us know what you think about the story; email Linda Tucci, Senior News Writer.