Despite the financial crisis, companies are still putting forth money for IT security efforts while overall IT spending is less of a priority, according to a new survey
conducted by strategy and business advisory firm MetroSITE Group
, and Pacific Crest Securities, a technology investment bank.
According to the survey of 53 security professionals on the impact of the recession on information security spending, respondents were more optimistic about security spending than general IT spending. Forty percent who will decrease overall IT budgets by five to 10 percent this year will not cut security budgets. In addition, 20 percent said security spending will increase, according to the report.
“The tendency of these data indicates that security spending remains a priority despite harsh economic constraints,” the report states.
Survey respondents said that governance, risk management and compliance (GRC), mobility, and identity and access management projects are likely to continue receiving funding this year while infrastructure expenditures are likely to fall victim to the economic situation.
Dov Yoran, a partner at MetroSITE Group and survey author told SCMagazineUS.com Monday that the need to meet compliance mandates is still the biggest driver of security spending. He added that he believes compliance has become an operational cost for many businesses – thought of by many as something that just has to be funded.
“Being complaint seems to be a cost that's already built into the business, so there's no way of pulling that apart,” Yoran said.
Mobile protection is also an area that's receiving funding attention, likely due to an increasingly mobile workforce and more powerful smart phones on the market, as well as increased accessibility of data/company information, Yoran said.
Of the handful of companies that are increasing security budgets, some may see their investment as a competitive advantage. Yoran talked to one fortune 1,000 CISO who said investing in security was a way to gain differentiation in their market segment.
While compliance and mobile security projects continue to receive funding, businesses are generally not spending money on anything new, Yoran said. New hardware, software, or anything with a longer-term return of investment (ROI) is having a harder time receiving budgeting due to the economic situation.
The survey found that vendors are reducing the cost of new products and are offering discounts for maintenance and renewals. Some 65 percent of respondents said they have been offered “heavy discounting” on new products.
In addition, some verticals reported greater discounts from vendors. Those in the high tech and software development industry commonly bargained for discounts and got them for both new products and for the renewal of existing products. Those in the service and finance industries also saw discounts and lowered maintenance rates..
Most strikingly, in the high tech and software development industry, Virtually 100 percent of those surveyed said they negotiated lower maintenance rates on renewals while 100 percent of those in government and education did not try to renegotiate their rates, according to the survey.
Yoran said there could be a number of reasons why this is the case. One possibility may be tied to the nature and culture of these industries. For example, governance and decision-making structures may be bureaucratic in some industries whereas they may be more dynamic and responsive to market conditions in others. Another explanation may be that contractual obligations in the health care, government and education industries tend to be of longer duration and are not as frequently revisited.
A similar study released last week from the IT trade group the Computer Technology Industry Association (CompTIA) concluded that management is increasingly recognizing security as a top business priority, resulting in budget increases for some organizations. Some 40 percent of organizations said they will spend more on security technologies in 2009 compared to last year, the CompTIA survey concluded.
Also similarly, in January, Forrester Research said that organizations of all sizes expected to allocate more of their IT budgets to security spending in 2009 compared to 2008.