Though security budgets for 2009 are complete, more than three-quarters of companies polled in a new study will be facing revision pressure.
These findings, however, came with some good news for IT security professionals: IT security budgets are getting cut a little bit less than other sectors.
Moderator Dov Yoran, partner at business advisory firm MetroSITE Group, presented a summation of the findings of the online survey at a panel discussion, "Security Budgets: What are decision-makers thinking," on Thursday at the RSA Conference in San Francisco.
The survey was conducted during March by MetroSITE and Pacific Crest Securities, a technology investment bank. It polled 50 executives, two-thirds at CxO or VP level, from a diverse group of organizations.
Not surprisingly, collaboration efforts and cloud computing are still getting funded, as are disaster recovery efforts, and revenue-generating projects, the survey found. Among initiatives that are losing funding are new project deployments.
Security projects are still receiving funding, Yoran explained, particularly those that are regulatory and compliance driven. Also receiving budget dollars are projects protecting mobile devices, identity and access management, encryption, maintenance, network security upgrades, endpoint upgrades, and data leakage prevention.
Security projects at risk of losing funding, according to the findings, include new hardware and software, longer-term ROI projects, development, penetration testing, vulnerability assessment and forensics and network monitoring.
The biggest growth area for security vendors in the next two years, according to the study, will be security within the cloud and virtual environments, event management, data leakage prevention, identity management and mobility
And the biggest driver to security spending in this economic environment, the survey found, are compliance, threat reduction, and brand protection from high profile attacks.
Panel member Pam Fusco, the former CISO at Merck and now a board member at the Information Systems Security Association, said she sees security spending making a shift.
“Money is being reallocated to programs that are blended with security,” she said.
She agreed that budgets are not increasing much, but expects to see a spike in 2010. Until then, it likely will take an embarrassing incident for security departments to get more allocation.
Though there was consensus from the panel that persuading executives to allocate budget dollars for security initiatives remains a priority, panelist Bob West, CSO of information security research firm Echelon One, said the good news is that management seems to be getting the message that security is critical.
But tailoring requests must meet ever-changing demands. For example, Fusco said security must be a one-to-many solution.
“We're driven today by going to the cloud, so we need solutions that meet the needs of the multitude," she said.
West said security can add value to a company, and advocated for interoperability and increased efficiencies. This theme was taken up by other panelists who agreed that there was too much cost in integrating components. Panelists called for vendors to bake security into their appliances and software so that end-users won't need to spend later for add-ons.
Sam Phillips, vice president of corporate security of Research in Motion, emphasized business impact: “The hard part is getting the pieces of the puzzle in place and then mitigating the risk by allocating budget,” he said.
Panel members also suggested that security professionals must put their proposals into business terms to convince executives of the impact security can have on an organization.
The economic downturn is producing some positive side-effects. Alex Tosheff, CISO of Bill Me Later, said he is seeing some good deals. The venture capital folks are not putting money into the security space the way they once were, he said, but vendors are hungry to make deals.
“We can negotiate service contracts,” Phillips added. “Though there might be some risk in making long-term deals with some of the smaller players.”
The takeaway, said Yoran, was that security pros must benchmark their current security projects and budgets within a greater industry context. Also needed is more insight into critical thinking on strategic issues, such as trade-offs on current projects and near-term spending.