Telecom consultancy Gartner went out on a bit of a limb in a recent report which finds that despite ongoing security risks, those companies described as “efficient and secure” will be able to reduce their security spend by 3 to 6 percent of their total IT budgets by next year, without compromising their overall protection. To reach these figures, though, businesses must move to more mature and recently-updated security programs or platforms that perform myriad functions such as endpoint security, next-generation, multifunction firewalls for head and branch offices, and Web and e-mail security gateways.
Gartner suggests deploying such platforms only where it makes sense to do so, based on customer requirements, but also pointed out that many end-users are more comfortable with multi-vendor, best-of-breed solutions that deliver greater functionality in specific areas than an all-in-one unit can provide, offering vulnerability assessment as an example. Gartner predicts many customers will also evaluate security solutions that carry lower-cost contracts and less expensive delivery models (read: hosted or cloud security services); these IT managers are also looking at open-source tools, or outsourcing particular security tasks to contractors.
“The average percentage of IT spending that security will comprise in 2010 is 5 percent, down from 6 percent in 2009,” said Vic Wheatman, research director at Gartner. “In 2009, in the face of a significant IT spending downturn, security spending grew slightly as a percentage of the IT budget, while many other IT spending areas were gutted. With the economic situation projected to improve in 2010, enterprises are ramping up investments in other spending areas faster than they are for IT security.”
As always, the economy is a key determinant in shifting securing spending patterns and consequently, the number of security project implementations. The report found that external security spending (securing a company from external threats) remained roughly even over the last few years as the recession hit, and similar spending levels should continue throughout this year. But a “significant number” of IT security companies were forced to hold back on large-scale, high-cost initiatives last year. For 2010, though, the outlook is brighter for security projects that protect new business initiatives; the report singled out identity and access management (IAM) and data loss prevention projects as particularly likely to make a strong comeback.
Breaking the numbers down a bit, the report finds finds IAM is the highest security priority for 20 percent of businesses surveyed in Gartner’s 2010 CIO Survey. More than 40 percent ticked off intrusion prevention systems, patch management, data loss prevention, antivirus and identity management as their five highest security priorities this year.
There will likely also be no let up in spending to secure key business operations, such as guest networking support, employee teleworking, wireless LANs, meeting Payment Card Industry standards, consolidating audit trails, security information and event management, and penetration testing requirements, as well as intrusion prevention.
Of course, business security spending patterns vary widely across market segments and company size. For instance, Gartner found North American companies were the biggest security spenders last year, with a 5.5 percent chunk of their IT budgets devoted to security. The numbers drop to 5 percent in Asia/Pacific, 4.8 percent in Latin America and 4.3 percent in Europe, the Middle East and Africa. In addition, those verticals that are usually characterized by higher-profile, more regulated companies, are likely to up their security spend to mitigate risk and protect financial assets and intellectual property. In these markets, key vertical industries such as professional services (6.8 percent), government (5.9 percent) and banking and financial services (5.3 percent) are particularly security-minded.
“Determining how much a specific enterprise spends on information security is not an easy exercise, particularly during [a] time of economic uncertainty,” said Wheatman. “However, regardless of industry or geography, we would urge organizations to use their best efforts to evaluate enterprise spending, while recognizing that they may not be capturing all security spending because of organizationally diffused security budgets.”