IT Security Spending: New Building Blocks
Perhaps we should not be surprised. It does seem as though the basic building blocks of an IT strategy are becoming quite different-a transformation we've been reporting on for some time. But forward-looking as it is, this kind of reporting can sometimes overstate the degree to which transformation is actually occurring now. One of the advantages of conducting research is that it can put trends in perspective. Those four new elementals may be the real future of IT, but that doesn't mean they've taken over the present yet. And IT security must always focus strongly on current realities on the ground.
That said, we're not entirely happy about what looks, in general, like a cautious approach to IT security. The first reaction of risk managers to new technological developments tends to be adjustments to policies and procedures, especially to prevent or modify user behavior. Though this is an effective way to reduce risk levels (or at least caution the business about the risks involved) while buying time to formulate an effective security response, all too frequently it seems that the work stalls there. In the case of cloud computing and consumerization, particularly, the potential for improved productivity and growth is big and immediate enough that it behooves organizations to push on and adopt security solutions that enable taking full advantage of them.
In last year's report, we concentrated most on the amount of security spending that was "hidden" outside of any dedicated, centralized IT security budget. This point bears repeating again this year, particularly given the fact that many fewer of our survey respondents say their organizations have such dedicated IT security budgets: only 42 percent, compared with 50 percent in 2011.
Centralization and decentralization come and go in waves, and looking at these results, we may very well be seeing some decentralization arising from today's pretty intense business-side pressure to deploy and manage IT to achieve business goals. For example, the survey reveals a reduction of IT consulting spending as part of the corporate security budget, where it exists; with so much activity at a departmental level, IT becomes more reactive and management-focused, and less proactive in planning. This is true throughout IT these days, of course -- it's not particular to IT security.
Corporate security managers surveyed do remain, on the whole, hopeful about the prospects for the corporate security budget this year. Half of those we surveyed expect at least 10 percent growth in 2012 over 2011. But it must be said that last year's survey results were similar. In fact, when you look at the share of specific budget growth expectations, security managers polled are actually less optimistic this year. Just over one quarter of respondents expect their centralized security budget to increase by 25 percent or more. Last year, 25 percent of respondents expected their centralized security budget to increase by at least 50 percent.
We're in an era in which business departments and their employees are finding and deploying applications, platforms and services on their own. One viable security strategy to deal with this is to push risk-remediation out to these same lines of business. We expect this trend to be short-term, representing only the decentralization part of the cycle. Recentralization will take place as the new IT elementals develop and mature, and central IT infrastructure efficiencies are found again.
In strange times, you should continue to rely on your common sense and gut instinct as you learn and experience more about the changes around you. Perhaps this is an overly dramatic way to characterize the IT transformation we're currently experiencing. But you can say at least that when it comes to IT security, you should continue to rely on the common-sense risk-investment equation that shows you how much, and where, to invest:
- Annualized loss expectancy ($ALE) = chance of an event each year - estimated loss due to the event;
- $ALE without remediation measure - $ALE with = $savings per year (realized or not);
- Any security investment lower than the $savings represents net lower costs for the organization and is profitable spending.
When you think about it, it's only the calculation of $ALEs that has changed because of virtualization, mobility, cloud computing and consumerization. Each of these elementals brings multiple new threat vectors with it. Identifying those vectors is the easy part (to the extent that we all know we can never find them all-we must just keep looking on an ongoing basis). The hard part is estimating the likelihood of an event from that vector. That is always the chief bone of contention between technology proponents and risk managers. There's nothing new there.
This simple kind of corporate and IT discussion of risk is not occurring in most organizations, and hasn't been for some time. And though, as we mentioned at the start, we probably should not be surprised that security strategies have not changed very rapidly in response to these strong trends sweeping through IT, we can also say that this is one unfortunate result of a general lack of ALE-based planning.
From this perspective, our survey results highlight not just real opportunities for the security strategy to contribute to the bottom line; they point to a method as well. As we have all experienced, the four elementals are unlikely to wait for us. You would do well to buck the security spending trend, using good old-fashioned risk assessment to find ways to put today's most revolutionary technology tools firmly in the hands of the most creative executives and employees in your organization.