security budgets

Security industry remains resilient to tough economy

A new survey from Gartner Inc. is confirming what industry analysts and experts have said over the last year and a half: The Security industry is resilient to the tough economy.

Gartner is predicting a slight increase in security spending in 2010. A survey conducted in April and May of 1,000 IT professionals showed security software budgets expected to grow by about 4% in 2010, outpacing all other areas of infrastructure software. Security services budgets are expected to grow nearly 3%.

“In the current highly uncertain economic environment, with overall IT budgets shrinking, even the modest spending increases indicated by the survey show that security spending accounts for a higher percentage of the IT budget,” said Adam Hils, principal research analyst at Gartner. “Security decision makers should work to allocate limited budgets based on enterprise-specific security needs and risk assessments.”

Specific areas that could expect spending growth:

• Security information and event management (SIEM)
• e-mail security
• URL filtering
• user provisioning

In June Gartner said increased interest in managed security services is driving much of the growth in the specific areas above as well as the reliance on third-party compliance consulting and vulnerability audits and scans.

At the time, Hils told me security budgets were pretty flat in 2009 while IT budgets were in decline. Companies are buying from a single security vendor offering a suite of security offerings rather than niche players. Spending on firewalls and intrusion protection systems remains strong, especially where encryption and data leakage prevention is being done, Hils said earlier this summer

Still, I wrote a story talking about some security pros having trouble navigating an increasingly competitive security job market. Perhaps the move to managed security services has enabled some firms to cut on-site security jobs.

Salary expectations need to come down as well, so we’re not signaling an all-clear for the security industry. A 4% security spending increase, as stated above by Gartner, is a standard or even slightly substandard increase. The economy has taken its toll across the board.

CISOs seek frugal ways to secure systems

It is budget cutting time. Companies in all industries are looking for ways to save money in a down economy. Security analysts say companies are slowing ongoing projects and delaying others signaling the acceptance of more risk.

Security pros that attended the two day SecureWorld Expo on March 25-26 in Boston learned about a number of ways to keep sensitive systems locked down while trimming their already tightening budgets.

Candy Alexander, CISO at Long Term Care Partners LLC, urged attendees of her session, “Security compliance program on a shoe string budget,” to develop a framework by using guidelines outlined by NIST. Alexander said NIST would be a cheaper source over the ISO standard. Although the benefits of ISO over NIST or vise versa is debatable, ISO is also not a widely adopted standard in the U.S., she said.

While much of the information doled out during the 45 minute presentation was basic, it certainly could serve as a starting point for some security pros looking for ways to keep systems secure despite a tightening budget. The most important piece of the talk: Know your data. Know where it is. Know how it flows through your systems. It’s so simple, yet time after time I hear that many data breaches happen because an attacker found a hole in a database that IT didn’t even know existed.

A friend who works for a major university in Massachusetts told me that in the first few weeks on the job he followed the basic steps of identifying the most sensitive information, where it was and how well it was protected. During the process he found a database containing thousands of credit card transactions in a small office off one of the university’s dining facilities. It had been there for years. Few knew it was there and those that did — dining facility staff with little technical expertise — didn’t realize the data residing on it was so sensitive.

Having a sound security policy and enforcing that policy was also one of the takeaways from the expo. Although it’s another fundamental part of being a security professional, we’ve heard countless times that some organizations have policies that they downloaded off of a website and rarely refer to them or educate end users about them. Charles Cresson Wood, a consultant at InfoSecurity Infrastructure Inc., a Mendocino, Calif-based consultancy, gave the SecureWorld keynote, urging those listening to rethink their security policies. If an organization doesn’t have policies that align with business objectives then they should be written with that in mind, Wood said.

Wood advised attendees to conduct an annual risk assessment tying it into the company security policies. He said some of the best security programs also create an environment that fosters higher security standards among employees. Management plays a big role, he said.

Finally, an information security officer tag team of Leilani Lauger of Loyola University and Morey Straus of NHHEAF Network Organizations tackled ways CISOs can do their job frugally. Straus said CISOs can consider managed security services and should also take a look at the company’s existing contracts with third-party vendors. Some of them may be able to be renegotiated at a cost savings, he said. Straus said CISOs can also help foster the culture of valuing information security by acting “less as a cop and more like a guide.” Lauger said security pros should also design training programs that are interesting and replace outdated posters and material with fresh content on a regular basis. Send out security messages in multiple forms, not just weekly email messages or security posters, she said.