Channel Insider content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

While companies identify their biggest IT security problem as how users access the internet, they typically ignore that problem when spending their security budgets.

That’s according to a new survey of more than 300 IT professionals conducted by CDW.  And the disconnect doesn’t stop there.  The study identified other crucial areas as well that were ignored when it came to budgeting as IT organizations favored spending on new vendor-promoted technology instead.

“There’s a bit of dissonance between what people perceive as their needs in security and what they are spending their budget on,” says Peyton Engel, a technical architect and a security specialist for direct market reseller CDW. “They say they have Problem A, but then they spend to fix Problem B instead.”

For instance, IT professionals cited their number one security concern as inappropriate internet use on the company network, but only 56 percent of companies had internet content blocking or filtering in

Learn Five Ways to Improve Customers’ Security.

Mobile security issues also posed a problem. A full 68 percent of IT executives say their organization does not have a distinct policy on security for remote or mobile access. In fact, 45 percent say their company does not provide secure remote access and 75 percent do not employ any form of hard drive encryption.

And while 77 percent of IT executives say their IT security systems are easy to use, only 18 percent give their users an “A” on understanding the company’s IT security policies, procedures and required practices, and only 23 percent give users an “A” on compliance with these policies.

Engel believes that part of the disconnect may come because IT organizations buy the new and heavily promoted products from their security vendors.

“Most of those products are good for something, but they aren’t good for what IT needs,” Engel says.  “A major problem is user awareness of security issues, but vendors aren’t selling that.”

Another problem could be that technology such as content filtering is harder to sell because it tends to be unpopular with users who view it “like a big brother tool.”  Sales people may find it easier to sell a product that does something else.
Also, spending on security technology tends to be reactive.  Customers spend on technology to protect against a problem after a specific incident has made the news, or happened to another customer.

“A lot of security spending is done in crisis mode in response to some kind of catastrophe,” Engel says. “One of the problems that security faces at the moment is that it is on autopilot. People treat the lists of best practices as they are true at all times and in all places. While not any of those are a bad idea, they are not necessarily business-justified for every business environment out there.”

IT organizations focus on the big picture with the rest of their spending, Engel says, but when it comes to security they get off-track and reactive.  VARs should sit down and help their customers see that big-picture view of what the security issues actually are and so they can spend on the right ones for their individual businesses, instead of the ones that might be making headlines.

CDW’s online survey (registration required) included responses from 304 IT professionals who said their companies have written IT security policies and procedures. Thirty-nine percent of the participants were from companies with 101-500 employees, and 61 percent were from companies with more than 500 employees.