Winding down security spend

Gartner states that global security spend, as a part of overall IT budgets, is set to decline as CIOs work to achieve more efficiency from operations and add value to the business.

  • E-Mail
By  Sathya Mithra Ashok Published  November 14, 2007

For the first time since 2003, security spending has fallen out of the top ten business priorities listing for global CIOs. This is according to the results of an annual survey conducted by Gartner among IT managers.

"Gartner conducts this survey among 1200 to 1400 CIOs across geographies between January and March of every year. The latest results indicate that security has fallen in the top ten technology priorities list for CIOs from the previous year's number two to number six this year. Security has not been included at all in the top ten list of business priorities for IT managers. However, security spending, in actual terms, is expected to increase by around 9% over the next year," says John Pescatore, VP distinguished analyst, infrastructure protection at Gartner.

According to Pescatore, there are two distinct reasons for this change in the outlook of CIOs towards security.

"First, the nature of these threats have changed out there from these sort of broad mass attacks like the worms we saw in past years that constantly made the news and everybody felt the impact, and CEOs and CIOs were hearing about it in TV news or mainstream press. Since 2004 the types of attacks we have been seeing are much more narrow and targeted attacks, where the cyber criminal goes after one company and this very often does not make the news at all. We are seeing more and more of these identity thefts; these targeted attacks that are much more damaging but do not hit everybody all at once," says Pescatore.

CIOs are beginning to realise that security already accounts for around 6% of IT spend and an increase would mean it consumes larger parts of IT budgets.

More important is the second reason where CIOs are beginning to realise that security spending cannot continue to grow as a percentage of overall IT spending indefinitely.

"Through qualitative interviews that we conducted as part of the survey we have discovered that in absolute spending terms while security budgets will rise, CIOs are beginning to realise that security already accounts for an average 6% of the overall IT spend and realise an increase in spend will mean it will consume larger and larger parts of the IT budgets. And CIOs are starting to say, wait a minute, why are we not getting more efficient, why is it always that the security budget needs more money and we are cutting everybody else's budget?," says Pescatore.

CIOs consequently are working on achieving higher efficiency from the security spend of organisations, according to Pescatore. This drive to gain more effectiveness from the dollars being spent can take many forms, key among them being working security into the routine IT and business processes of a firm. The evolution of firms to the stage of higher efficiency can be traced from Gartner's security maturity model.

"The lowest level is that of blissful ignorance. This is where nothing bad has happened, you are not having much use of the net and security is probably below 3% in your IT spending. The next stage is the awareness phase which is where they are starting to say we do need new security policies because of either e-business or increased employee remote access. That's the area where we often see security spending closer to the average of 4% to 6% of IT budget," says Pescatore.

The awareness phase is the stage that Pescatore estimates most enterprises would be at by next year. This is where large companies start asking questions to move up the ladder. This is followed by the corrective phase where companies start to take a more process-based approach to IT security.

"It is in this stage that companies get onto developing architectures and taking a process based approach towards security. That is the point where we see the security spend flattening as a part of overall IT budgets. If you look at financial institutions that have moved onto a more mature security phase and if you survey their numbers you would notice that they are spending lower percentages on security," points out Pescatore.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code