Gartner analysts predicted a small subsection of the most advanced large organizations will spend less of their overall IT budgets on security in the coming year.
Published last week by the firm, a report entitled "Security Market Growth Continues Despite Some Budget Stabilization" said that while analysts expect security spending to remain on the rise through 2008, a growing number of businesses will spend only 3 to 4 percent of their IT budgets on security, compared to the average 5 percent to 6 percent.
"Our prediction is that some of the top organizations will be able to reduce the percentage of security spending without losing effectiveness," said Rich Mogull, one of the report's authors and research vice president with Gartner. "The most mature organizations are getting more efficient with their security operations."
The report predicted that overall information security spending will increase by approximately 4.6 percent in 2006.
"The overall market will continue to grow through 2008 as IT budgets continue to grow, even as security budgets of a small, but growing, group of leading organizations start to stabilize," the report said, stating that this group will reach 20 percent of large organizations by 2008.
It might be tempting for the bean counters to use this predicted trend among industry leaders to curb security spending at their own organizations, but Mogull warned businesses to abstain from monkey-see, monkey-do spending practices.
"That is a really common problem. A lot of people will ask us, 'What are others in my industry spending on security?'" he said. "While there is nothing wrong with asking, that does not always indicate what you should spend on your budget."
He said that security spending should remain a highly individualized number depending on a number of factors. According to Mogull, only those organizations that have reached a high level of maturity in processes, governance, accountability, architecture, measurement and reporting will begin to stabilize their spending.
All others will need to continue to grow their security operations, he said.
"For example, some organizations started spending a lot on security late in the game," Mogull said. "As a result, they might need to go ahead and play catch up for several years."