Enterprise Security Spending: Bucking the Trends

Guy Currier Avatar

Updated on:

The more things change, the more they stay the same. While much of IT is engulfed in sweeping transformation brought on by four technology trends — virtualization, mobility, cloud computing and consumerization — it turns out that organizational approaches to risk are reverting to old form.

We can see this in the results of our CIO Insight 2012 Enterprise Security Trends study, conducted from late December 2011 to early January 2012. To conduct the study, we emailed a survey to a random sample of IT security executives culled from the audience lists of our corporate parent Ziff Davis Enterprise’s magazines, newsletters and events; 341 respondents who work in organizations with 50 or more employees responded. Of these, 188 (55%), work in companies with 1,000 or more employees, giving our data good representation of both midrange and large enterprises. (Download a PDF version of the study results with accompanying charts here.)

The survey examined IT security spending that is formally budgeted, as well as that which falls within other budget areas. In early 2011, we fielded the same survey using a sample from the same source, so now we can see how security investment patterns have changed, or not changed, in the past year. And surprisingly, the survey results show a significant return to tradition in terms of which areas of IT are getting the most security attention, and which are receiving the least.

For example, the networking equipment budget was the only area to grow considerably from 2010 to 2011 in share of organizations seeing higher security-related spending, from 45 percent of respondents to 58 percent. Conversely, the number of organizations spending on security within compliance plummeted. However, most traditional budget areas — such as databases, servers, storage and enterprise software — remained stable in terms of the frequency of security-related investments.

Meanwhile, the most dynamic areas of IT are tending to see less security-related spending within their budgets, rather than more. For example, fewer organizations than last year are spending on security in their cloud computing, mobile device, and application development budgets (see Finding 1.1). In this year’s survey, application development spending was reported, on average, to be only 5 percent higher to address security issues, compared to 12 percent higher last year (see Finding 1.2). That’s the only extreme example, as most budget areas have remained quite stable in this regard. But the fact remains that security-related spending isn’t particularly accompanying spending among the new IT fundamentals.