No single market can claim immunity from the global financial meltdown that has crippled the United States in a way not seen since the Great Depression.
But there are exceptions to rules – at least partial ones – and few would dispute that given the sophisticated threat landscape and ongoing compliance demands, IT security is being seen as a business essential.
Some 15 months removed from the Lehman Bros. collapse, which marked the largest bankruptcy filing in U.S. history and sparked a domino effect of economic calamity not seen in generations, the IT security industry pulled through relatively unscathed, according to experts. In some verticals, the space actually has flourished. So, it is no wonder that security professionals are peeking to next year with optimistic eyes.
“We've haven't seen a major impact on security programs,” says John Pescatore, Gartner vice president and research fellow. “I'm just not seeing that the economy caused drastic budget cuts [within organizations].”
This is attributable to the growing recognition that, in the risky world in which we live, robust IT security can offer mitigation.
“Overall, the portion of the IT operational budget devoted to security has risen by about five percent since 2007,” says David Foote, CEO of Foote Partners, an IT research and advisory firm. “Companies have finally gotten a little more religion about the fact that security is a threat to their product brand. It's costing companies a lot more when there are breaches.”
It would be foolish, however, to consider 2009 an across-the-board success. After all, IT budgets have fallen on average of about three percent, year over year. This has resulted in a number of stalled projects, many of which have affected security departments, Pescatore says.
For instance, through conversations with his clients, Pescatore has observed a number of occasions when organizations delayed maintenance initiatives, such as server and firewall upgrades or patch deployments. In some cases, organizations faced with hiring freezes held off on adding new personnel. In other words, because most IT budgets either held stable or dropped this year, security teams have been forced to do more with less.
In January, the government released figures showing the U.S. economy suffered its largest slowdown in nearly a quarter of a century during the last three months of 2008. But in the same month, Heartland Payment Systems, one of the nation's leading credit and debit card processors, disclosed what is considered to be the largest all-time data breach, executed by a well-trained crew of hackers.
So when it came time to make buying decisions, many organizations found themselves more guided in their actions by Heartland than the nation's gross domestic product. That meant purchasing security products to deal with the latest and most sophisticated threats, such as web application firewalls, file-integrity monitoring and payment security solutions, Pescatore says. It also meant holding onto staff, even if nobody new was coming through the doors.
“CEOs are not dummies,” Pescatore says. “They run companies. They prioritize what to cut. They know it's a dangerous world. When the bank has budget cuts, it doesn't fire the guards. It might lay off some tellers.”
Foote says a recent study conducted by his firm concluded that based on the 199 IT certifications that Foote Partners tracks, the market value for those accreditations was down 6.2 percent since December 2007. However, of the 45 certifications that are security-specific, the market value rose three percent.
“It's a counter trend,” he says. “People have not stopped paying for security talent.”
Spending strong in places
Admittedly, though, some markets are doing better than others. For example, 2009 served as a wake-up call for the health care industry. As prescribed under the HITECH Act, a national breach notification law took effect for health care organizations, as did additional security and privacy requirements.
The energy industry also is extending more resources to cybersecurity, in light of reports of utility system intrusions and in advance of the next generation of IP-based technology, such as the smart grid, experts say. In April, lawmakers introduced the Critical Electric Infrastructure Protection Act, which requires the Federal Energy Regulatory Commission to assess and establish interim standards to protect the critical electric infrastructure from known cyberthreats. Also, the bill would require the U.S. Department of Homeland Security to conduct an investigation as to whether federally owned critical electric infrastructure has been compromised.
However, within financial services, which bore the brunt of the economic fallout and has experienced increased mergers and acquisitions, security spending has suffered, which certainly is a big blow, experts say. The same goes for state governments, whose piggy banks largely are tied to taxpayer dollars.
Federal government, on the other hand, may be doing the most swimmingly of all, says John Slye (left), a principal analyst at INPUT, a market analysis firm. That is because agencies are waking up to the fact that foreign adversaries, possibly government sponsored, are targeting the intellectual property stored on many of their networks.
A report in October prepared for the U.S.-China Economic and Security Review Commission concluded that the Asian nation is likely using its sophisticated IT systems to spy on America.
“China is likely using its maturing computer network exploitation capability to support intelligence collection against the U.S. government and industry by conducting a long-term, sophisticated, computer network exploitation campaign,” the report said. “The problem is characterized by disciplined, standardized operations, sophisticated techniques, access to high-end software development resources, a deep knowledge of the targeted networks and an ability to sustain activities inside targeted networks, sometimes over a period of months.”
Slye said federal government demand for information security products and services is estimated to jump from $7.9 billion this year to $11.7 billion in 2014, an annual growth rate of 8.1 percent, which measures more than twice the rate of total IT spending.
Much of the earmark will go toward salaries – DHS just announced plans to hire 1,000 people for cybersecurity roles – and technologies, such as monitoring and forensics, to help detect and investigate sophisticated attacks against the government.
“It's a high priority within the [Obama] administration and they recognize that, frankly, the cost of failure in this area is too high,” Slye says. “In the pecking order of priorities, cyber is going to stay high. It seems to be somewhat bulletproof from a recession or agency squeeze perspective.”
He admits that federal government is in an enviable position compared to its state counterparts. “They can print more money and they can deficit spend,” Slye says.
This is good news for vendors, as well. Pescatore says he has seen no major effect in business on the market-leading security solutions providers. And those companies that cater to small- and medium-sized businesses should find 2010 promising as well, experts say. While SMBs traditionally have not focused as many resources on security – a majority chose to cut or make no change to their budgets last year, according to McAfee – Gartner expects them to provide the greatest percentage jump in security spending next year as they play catch-up.
One area where the security industry seems to be suffering is in the venture capital arena. Security software may still be in demand, and the market leading providers may be performing well, but fewer VCs seem willing to take the risk of investing in start-ups, according to the latest figures from PricewaterhouseCoopers and the National Venture Capital Association.
Nowhere is it more evident than this year. The number of venture capital deals investing in security software in the first three quarters of 2009 is down more than 55 percent from the same period a year earlier.