Security Planning: Reactive or Proactive?By Guy Currier | Posted 03-11-2011
Exclusive Research: Enterprise Security Spending Trends
When we initially set out to examine how organizations were budgeting and spending on IT security, we knew it would not be a straightforward or simple proposition. Security spending doesn't take place in a single, well-defined area, with one set of budget lines and discrete products. Rather, whatever IT security strategies, procedures or resources may exist at your organization, there's a good chance that the associated costs are largely, even exclusively, buried under nonsecurity headings.That's why we couldn't just ask about IT security budgets; we had to ask about security-related spending within other budget lines as well. And we had to understand the relationship between the two.
In January 2011, we fielded an online survey to members of our extensive database of enterprise IT executives, asking them about security budgets and about the influence IT security has on nonsecurity budgets. (Editors note: You may also download this report, Enterprise Security Spending Trends, with accompanying charts in PDF form.) The survey received 164 responses from individuals knowledgeable in these areas and working in organizations with at least 50 employees; 49 percent of respondents work in enterprises with at least 1,000 employees.
We were surprised to learn that half of these organizations actually have no dedicated, corporatewide budget for IT security (see Finding 1.1). This is true even in the largest organizations, and it means that spending, including staffing, frequently occurs on the departmental, project and application levels. The implication is clear: Security planning is not occurring on a strategic level as much as it should.
Security Planning: Reactive or Proactive?
If your IT organization is in a reactive posture when it comes to security, then it is probably falling into the 50 percent of respondents who have no corporatewide security budget. Why? Because with no companywide security strategy, what you are doing is responding to the individual needs of the various stakeholders at your organization, as those needs arise from usage or new project development.
It's important to be able to respond to your internal clients' needs, of course, but without dedicated security resources, you don't have a good way to assess risk, evaluate loss scenarios or set appropriate investment levels. That's not even considering the obvious benefits of economies of scale and sharing of knowledge and experiences.
Where a centralized security budget exists, a significant portion is allocated for dedicated IT security staffing, according to our survey. While security hardware, software and services combined form an average of 48 percent of the dedicated budget, staffing alone represents 34 percent (see Finding 1.2). Staffing is a clear initial requirement for investment if you want to take a strategic approach to security. You need knowledgeable, capable people to formulate, monitor and develop your security infrastructure, even if individual security solutions are deployed at the business-unit level.
When solutions are part of a centralized company budget, security hardware forms a significant share of spending, with software and services accounting for only 13 percent and 12 percent share-of-spending, respectively. The ongoing replacement of much security software with service-based offerings partially explains its low share. But why aren't services greater? With 95 percent of the IT executives we surveyed saying their companywide budget has a services portion -- more than any other area (see Finding 1.3) -- services are clearly popular. The trick is that spending per employee on security services is the same as -- or a bit lower than -- it is for software. So organizations are adding the flexibility of services at a similar cost per employee.
As befits the strategic nature of a dedicated security budget, a significant share is spent on consulting. It's interesting to see that business consulting is almost as much a part of strategic security planning as is technology consulting. You could pass this off as being due merely to the legal and regulatory issues often tied up with security. However, a sound security strategy can just as well point the way to effective entry into new markets, increased operational efficiencies, enhanced knowledge sharing and other areas that affect a business's bottom line.
Where's the Security Spending?
How and where does IT security spending appear in nonsecurity IT areas? Every area -- from mobile devices to application development -- can see spending shift to address security needs. What's particularly relevant is how IT security needs and plans favor some nonsecurity areas more than others, thereby shifting budgets throughout IT (see Finding 2.1).
There are obvious gainers, such as compliance and governance budgets. A whopping 71 percent of respondents say that their compliance and governance budgets have increased as a result of IT security spending. Likewise, 62 percent of respondents report that their cloud computing budgets have increased because they incorporate spending on security.
But there are less obvious gainers as well, such as the application development budget, which frequently includes security spending. The app dev budget also has the highest average share of its budget -- 12 percent -- set aside for security (see Finding 2.2).
What's going on here? There are two possible reasons why so much of the application development budget must be spent on related security: the importance of security and the cost of development-related security. For survey respondents, it must be security's importance that drives additional spending, since cloud, collaborative and mobile computing have created new authentication, identity management and transaction control needs that flow all the way up to the application layer.
Similar considerations drive the high proportion of companies' spending on security as part of the IT operations or enterprise software budgets. User- and usage-management issues are why these businesses are spending an average of 6 percent more on IT operations and 7 percent more on enterprise software to address IT security.
These spending areas are bigger than they might normally be because they incorporate security spending. The same is true of mobile device spending, with 56 percent of survey respondents including security as part of this budget; desktop software (53 percent); and, to a lesser degree, PCs and networking software. Left out are server and storage budgets, which seldom include security spending. Database and content software, as well as nonmobile telecom, are also little affected.
Enterprise Security Spending: What's Ahead
What security trends can we look forward to? To begin with, 2011 is shaping up to be a year of renewed interest and investment in IT security solutions generally. With social networking added to cloud, collaboration and mobility uses, we have new business opportunities that also engender serious information and intellectual property threats. The typical organizationwide security budget in our study is expected to grow by 10 percent over 2010 levels (see Finding 3.1) -- a median that holds in the largest enterprises as well.
It's also worth noting that close to a third -- 29 percent -- of the enterprises we surveyed expect their organizationwide IT security budgets to increase by 50 percent or more (see Finding 3.2). Clearly, in most cases, this doesn't represent all incremental spending for the company. Most likely, a good proportion of it represents centralization of security initiatives, such as movement of spending out of other line items and into an organizationwide security budget.
This movement creates a proactive, opportunity-seeking approach to IT security, which potentially gives the organization increased flexibility and improved prospects for growth.Is it also a harbinger of a comprehensive and strategic approach to security in the enterprise in the years to come? We think so. Certainly, we recommend this strategy, and not just for reasons of efficiency.
Security is like insurance, but, oddly, there are few actuaries for it, whether in IT or in finance. This means that companies have little understanding of the (very real) costs of a lack of investment. To gain that understanding, and achieve a comprehensive and business-focused security strategy, organizations must centralize.
If this sort of thinking had any influence, most enterprises would have centralized long ago. In our view, it's the truly pervasive nature of the underlying trends currently driving security investment -- the fact that adoption of social networking, cloud computing, collaboration and mobility is generally occurring on an organizationwide basis -- that will, in turn, lead the enterprise to pursue organizationwide security strategies and solutions.