Security Spending Grabs Greater Share Of IT Budgets

Top 10 Security Stories Of 2010

Today, spending on data security remains strong, and investments in vulnerability management are increasing. Meanwhile, organizations are spending less on identity and access management, as well as regulatory compliance, and spending too little on securing their applications.

Those findings come from a new Forrester Research report, "The Evolution Of IT Security, 2010 To 2011," released on Feb. 15. The study is based on a Forrester survey of 2,058 IT professionals at North American and European businesses of all sizes, conducted between May and July of last year.

Inside organizations, security's importance is growing, as mirrored by its share of the IT budget: 8.2% in 2007, growing to 14% in 2010. Likewise, security is increasingly a board-level concern. Today, 54% of organizations have a chief information security officer that reports to a C-level executive, and 42% have one that reports to someone outside of the IT department.

While businesses rely more than ever on information security, the challenge of securing businesses continues to increase. For that, thank more sophisticated attacks, high cleanup costs in the event of a data breach, as well as businesses' increased use of "outsourcing, virtualization, cloud, mobility, Web 2.0, and social networking," said Forrester.

As organizations try and keep pace, security priorities and spending are shifting. Notably, there's been a move away from some large-scale endeavors, such as identity and access management, to smaller, more focused projects. For example, more organizations are now implementing specific authentication capabilities, such as single sign-on, strong authentication, and identity federation for SaaS.

But too many organizations still focus on preventing yesterday's attack, rather than tomorrow's, said Forrester. "Most security organizations continue to focus inappropriate attention on network vulnerabilities and reactive network security tools rather than on proactive application security practices."

Notably, said Forrester, application security "remains an area of underinvestment," and now has a lower spending priority than it did in 2008 -- despite the increase in attacks that exploit Web application vulnerabilities.

Interestingly, Forrester also examined how security managers identify what they want to buy. In 2010 -- as in 2009 -- nearly two-thirds of survey respondents turned to their peers and colleagues for word-of-mouth advice.

But they also are turning to other sources of information. For example, search engines (used 61% of the time) are now the second most popular source of information, while people's reliance on online discussion forums, social networks, live salespeople, and webinars also increased from 2009 to 2010. Meanwhile, people now rely less on industry events, analyst firms, and blogs to guide their buying decisions.