How is the economy affecting infosec spending? Illena Armstrong discovers 2003 could see more funds allocated to security.

Infosec spending is set to increase during 2003, if the predictions of many analysts can be believed. But forecasts for a rosy future are only likely to materialize if the economy shows signs of a recovery. Organizations around the world have now come to realize that creating and enforcing a central security program is the key to the success of their business. That realization, combined with an increasing number of security breaches, more legal and regulatory mandates to adhere to, and persistent worldwide ­political ­ unrest, is expected to drive the anticipated spending spree.

According to some analysts' research, the private sector will not only allocate more funds to security, but also actually spend some of that money on infosec technology deployments and programs over the course of this year. However, experts say this is conditional on the economy's improvement.

Chris Byrnes, vice president of the Security Infusion Program at research and consulting firm META Group, says that the last six months of 2002 were filled with extensive request-for-proposal (RFP) processes, where organizations would assiduously review and pilot infosec products. Because these efforts have already been undertaken during the last half of 2002, "if the economy does show signs of resilience, we will see spending immediately."

While overall IT budgets have decreased by about three percent over the last three years, allocations for IT security have continued to rise by about 10 percent, he notes. Even in 2002, he adds, infosec budgets fattened. But due to the economic slow-down, many organizations froze spending in this and other areas of their businesses. Although ­ security was seen as a necessary expense, CFOs disallowed IT administrators and security managers from loosening the purse strings.

Developing a sense of the risks

The upside is that this inaction in buying had little to no effect on pilot programs and other efforts to get houses in order with regard to security. Michael Rasmussen, director of research for information security at Giga Information Group, says that organizations worldwide generally seemed to spend the latter part of 2002 getting a handle on their individual IT security needs and risks, and developing a sense of the organizational structure required to tackle security demands.

This retrospection often led to hiring IT security staff, developing infosec plans and conducting security assessments. Rasmussen has witnessed large enterprises go from having no IT security staff at all to putting in place 70 or more infosec-savvy professionals. According to David Foote, president and chief research officer at Foote Partners, LLC, a management consultancy and IT workforce research firm in Connecticut, demand for trained and certified IT security professionals will continue to grow as infosec continues to rise in importance among management and directors. Yet, because companies are struggling to hire security people at the management level, he predicts that organizations will increasingly turn to managed security service providers.

Magdalena Yesil, general partner with U.S. Venture Partners, agrees, noting she is seeing less investment in hiring IT security staff and more funding going to the outsourcing of infosec needs.

While there are organizations hiring some security personnel because of legislative requirements and an increased number of hack attacks, not too many companies are creating a centralized IT security group like those one might find in large financial organizations, such as Citibank or Morgan Stanley, she adds.

Those organizations that are attempting to boost the number of IT security experts on staff are demanding more than just the skills these prospective employees might tout. Foote Partners' research shows that whereas bonus pay for plain technical skills has dropped by about 25 percent in the last two years, bonus pay for those with professional skills supported by certification rose by about eight percent.

"With layoffs and hiring freezes, [executives] are more convinced that certifications are absolutely the way to single out solid people," Foote says.

Another emerging trend is that companies are using professional infosec certifications to entice system and network administrators to take on aspects of a company's infosecurity. In turn, with certified staff on board, the IT division is able to secure a larger training allocation to bolster the continuing education requirements that are often required to keep professionals abreast of the ever-changing security industry. They can argue that continuous professional training is a bona fide expenditure.

"And make no mistake, you have to make that argument because executives are now brutal [in making cuts], particularly in IT," Foote says. "They don't even understand what it takes to get the work done, and the level of expertise it takes."

Indeed, META's Enterprise Security Desk Reference for 2003 says that a huge divide between senior managers and infosec/IT staffers still persists, despite a "confluence" of happenings revealing the importance of developing an organized security program.

"Our research indicates a disconnect between how senior executives and IT/security management view security policy compliance," it states. "Although the majority of Global 2000 companies have a dedicated information security group, the roles and responsibilities within these groups are often unclear."

The other problem, according to META, is that security teams have to continually contend with "complex and expensive technology," as well as "fragmented budgets [and] years of under investment."

Still, even with the enduring uncertainty on where security stands within organizations around the globe, statistics show budgets are getting bigger. Giga research reveals that by the middle of the year many companies will plump their rather flat budgets for infosec. Also, International Data Corporation (IDC) projects that spending on IT ­ security and business continuity will jump from $66 billion in 2001 to $155 ­ billion in 2006. And, META is estimating that security budgets are rising at a 40 to 50 percent compound annual growth rate, a figure that is being "driven by increased investment in both technology and external services," states META's Desk Reference.

"Security budgets are becoming more centralized, with a security team coordinating investment in most organizations," the Desk Reference continues. "Improved product integration and maturity will also help stabilize the investment curve during the next couple of years."

Although Giga's Rasmussen is optimistic that the coming months will see organizations actually spending money on implementing stronger security measures and deploying more sophisticated security tools, he concedes that the steps to get there will be far from simple.

"It's going to be an uphill battle. We're not back to what we were seeing three years ago [as far as investment in security products and services go]," he says. "People want to spend their money wisely. People aren't going to just drop money on solutions for the sake of ­ saying they have security." 

Illena Armstrong is U.S. editor of SC Magazine.


Price-checking security needs

Particularly in a floundering economy, justifying any budget line item can prove time-consuming, but trying to define the worth of suggested security expenditures is proving an even more laborious process.

Sign-off for such expenditures can be especially arduous when monies for them are being allocated from an umbrella account. As funding for security is more frequently being taken from a company's overall IT budget, responsibility for final approval of purchases has shifted, says Chris Pick, vice president of product strategy and marketing at NetIQ's security management and administration business unit.

"Based on current economic conditions and a greater responsibility to shareholders, we saw CIOs and CFOs - executives with fiduciary responsibility - much more involved in the final sign-off process and, in some instances, this slowed down the purchasing process," he notes.

And no business division - IT or other, is left with the ability to just buy a product the company might very well need to secure its various business initiatives, says Iain Franklin, European vice president for Entercept Security Technologies. However, security is simply not optional in today's connected corporate world - a truism that many "forward-thinking companies" are quickly grasping.

"In the current atmosphere of cost-cutting, relying on virus protection and a firewall simply isn't enough. Security must now play a greater role than ever in defending an organization's future," Franklin says.

Fortunately, organizations in areas that show a "higher degree of technology adoption" are buying more sophisticated security products, says Pick, moving past firewall and anti-virus buys. Additionally, organizations in industries where legislative mandates are now requiring more stringent security measures, are stepping up to the plate.

"We saw a strong showing from companies that required security solutions to meet regulatory needs because they have limited choices as to how long they can delay purchases," he says.

Still, for many companies, attempts to defend security expenses sometimes lead to a wait-and-see attitude, "as common methods of calculating return on investment are inappropriate for security projects," Franklin adds. "Security spend is equivalent to buying insurance: if a business doesn't have security procedures in place, it is only through suffering a loss that the need becomes apparent."