It’s official. According to an Oct. 30 release from the Commerce Department, the U.S. economy shrank at an annual rate of 0.3 percent in the third quarter of 2008, the first time this has happened since 1991. Business spending on new equipment and software fell by 5.5 percent, and Forrester recently predicted that software and IT vendors will average 3 to 5 percent growth compared to the 9 to 12 percent they had earlier in 2008.

Like many, Alan Mattson, VP of business development at Modulo, a leader in IT governance, risk and compliance management automation, has been listening to the financial news. While he admits that he’s worried that spending for IT security might slow down, he says he has yet to see any tangible proof of that.

A deal his company has been working on with a major New York bank is proceeding. Requirements, especially at banks, necessitate they be aware of security of their vendors and service providers, he says.

“It’s too early to say that security is recession-proof,” Mattson says, adding that security of data is vital to companies.

Phil Neray, vice president of strategy at Guardium, a Waltham, Mass.-based database security company, agrees that most companies, especially those in financial services, absolutely must safeguard the integrity of their data. But, he adds, when times are tough, companies look at how they can do more with less. “If you can replace manual processes with automated processes, you have a good shot of being approved by the CFO,” he says.

While security personnel may not be accustomed to making an ROI argument to get budget approval, he says, outlining how an automated, centralized, appliance-based approach can replace licenses, mass storage of log files, third-party personnel digging through those logs, makes for a pursuasive case.

“This is especially true if you can demonstrate how a software system will pay for itself in less than six months.”

Johnnie Konstantas, vice president of marketing at Varonis, which provides data governance solutions, says her company has yet to see a slowdown in its business. While she admits that companies are holding their collective breath, during the third quarter Varonis added quite a few customers.

The caveat, however, is that some companies want to quantify ROI to upper management, she says. “Security companies have always talked about ROI, but mitigation of risk is hard to quantify. We’re showing our customers that, security benefits aside, there are a whole bunch of operations we can clean up for them.”

“Compliance and regulatory requirements are increasing and they are not optional,” says Neray. “Controls must be in place, and they will increase over time.”