Check-box security programs sometimes driven by FUD-based arguments still are compelling when fighting other departments for tightly controlled budget dollars. Yet, holistic risk management and security plans driven by strong information security professionals and strongly supported by forward-thinking executive leaders are staking a claim in some large businesses – despite a still concerning economy.
The problem, though, is that the former scenario still dominates. And though some economic indicators support incremental but slow improvements in coming months, others point to many of the Great Recession’s effects lingering well into 2011.
IT security spend, then, likely will remain flat this year, according to SC Magazine’s fourth annual Guarding Against a Data Breach survey, which was conducted by SC Magazine and ArcSight with research firm CA Walker. Out of the 468 information security leaders participating in the survey, 36 percent expect their budgets for IT security projects and data leakage prevention efforts to increase in 2011, compared to 41 percent out of 399 in 2010. The great majority of respondents – close to 60 percent – expect budgets to stay the same. On the positive side, only six percent face a drop in funding this year compared to 12 percent last year.
So, at least some organizations can still satiate their needs. But just how are these defined?
This takes us back to the original issue. Regulatory mandates are continuing to drive IT security programs. And, as the saying goes: You can get compliant with a sound security program in place, but you might not necessarily get information assets secured with a compliance-based plan. For many information security pros who know this, the reliance on their stakeholders’ fears, uncertainties and doubts – the all-too-present FUD – sometimes works. So, they get bits of financial support or resources that allow them to address a particular vulnerability in their networks, a good thing, but still leave other holes gaping for cybercriminals to march right through. And forget about a more strategic, overarching plan.
Solutions to all these challenges aren’t simple. But, the consensus among experts commenting on this year’s data breach survey suspect it lies somewhere with the need for information security pros to educate their executive leaders to understand (and accept) that well-thought-out, information security programs can enable the business and also satisfy customers’ expectations, which might lead to some profit gains. After all, for the first time since the establishment of this survey, possible negative impact to the corporate brand tied with compliance demands is a top driver for security planning. It was an ever so slight change, but a change nonetheless.
For now, those in the information security arena will continue to take what they can get, it seems. If FUD or regulations still play a role, show them the soapbox…and the money.