Business management remains skeptical of the benefits of security spending on employee awareness training. Remote employees are more likely to be out of the loop on security risks than their cubicled counterparts. Mobile devices are vulnerable. Human error, alas, combined with technical glitches -- doh! -- remains the main cause of severe information security breaches. And the severity of IT security breaches is rising, even as the prevalence among U.S. firms has declined, suggesting the life of a security pro is as harried as ever.
But money for security, it appears, is less of an issue in 2009, at least relative to other areas of IT. According to the CompTIA study, spending on information security processes, training and especially technologies is expected to increase approximately 20% to 25% globally, with India and China outpacing the U.S. and the U.K. The upswing comes at a time when IT budgets overall are expected by market watchers such as Gartner Inc. to decline worldwide in 2009. (Our own survey found IT security spending in 2009 would grow at 43% of all firms surveyed and in 33% of midmarket IT budgets.)
DOD, government mandate may be driving spending
So why is security a bright spot on the IT spending landscape?
Some of the upswing may simply reflect where companies are in their refresh cycles, said Todd Thibodeaux, president and CEO of CompTIA. The government's robust IT security spending may account for some of the push.
"But really, it may be they're hearing the footsteps of the federal legislation, of state legislation, coming down the pike. There is likely to be a cybersecurity bill this year, and maybe people want to make sure they are prepared when legislation does get out in place," Thibodeaux said.
There is a likelihood that security standards that come out of the Department of Defense or are attached to the American Recovery and Reinvestment Act of 2009 will emanate out to corporations.
"Anybody that connects … [across entities] has to have a certain level of security and protocol. I'd like to think that people are being foresighted about what is coming, because there probably are going to be mandates that require people to have a degree of safety and security in their networks," he said.
Indeed, CompTIA hopes its new Security Trustmark, a vendor-neutral, business-level accreditation aimed at helping companies identify and fix problem areas in information security policy, processes and planning, will be embedded in state or federal legislation as a safe harbor standard.
Security spend 19% of IT budgets; technology tools predominate
In the U.S., the average spend for computer security at firms accounts for 19% of IT budgets in 2008, consistent with the past three years, according to the 623 North American respondents. Mean spending on security-related technologies jumped by 20% from last year, with slightly more than a quarter of the organizations surveyed spending more than $250,000. The biggest chunk of budgets (39%) goes for security technologies, with training and security processes a distant second at 16% and certification pulling up the rear at 10%. Technology is also the area that respondents said is most likely to increase in the coming year; spending on certifications, the least likely.
Analysts at Gartner said the growth, which covers the spectrum of technology tools, comes even as information security technology has seemingly become less of a priority for CIOs, falling in recent years from a top-three concern to No. 8. Going forward, spending is expected to grow on mature security safeguards in wide use, such as antivirus, along with investment in cutting-edge solutions such as security information event management, scaled down by vendors to solve particular compliance problems, writes Gartner analyst Adam Hils.
Network and endpoint security are enjoying robust growth, accounting for more than half of IT security budgets, according to the data from Stamford, Conn.-based Gartner. Security as a Service shows growth promise. And the predilection for best-of-breed vendors in security appears to be shifting, the data shows. Gartner predicts that by the end of 2010, companies increasingly will rely on a single vendor for most applications. The data will be presented next week at the Gartner Information Security Summit in Washington, D.C.
Let us know what you think about the story; email: Linda Tucci, Senior News Writer