A new set of survey results released this week by PricewaterhouseCoopers (PwC) found that as organizations have held steady or increased IT security budgets in the face of other IT cuts, they’ve been under more pressure than ever to offer greater value through security spend.
Unveiled by PwC on Wednesday, the 2009 Global State of Information Security polled 7,200 C-level executives about their IT security budgets and practices. The results showed that security budgets largely survived the sweeping cuts that gutted many other areas of IT operational spending this year. But that leeway came at the cost of greater scrutiny from upper-level management of security’s performance, hence the report’s title, Trial by Fire, says Mark Lobel, advisory partner for PwC’s Information Security and Privacy Services division.
“It really feels like this economic downturn has created an inflection point for information security professionals. We expected significant cuts because security is not a revenue generation activity; in most organizations it’s a revenue protection activity. But security was protected,” Lobel says. “But the converse of that was this intense pressure to perform. You know, ‘Here’s this economic downturn with almost 10 percent unemployment and if there’s going to be a time when bad things are going to happen, this is that time, those bad things are happening. Are we getting the value from our security investments?’”
The survey found that executives still did “flinch” at economic pressures in regard to security budgets. From 2006 through 2008, PwC’s annual survey has found that the number of organizations reporting a yearly increase of security budgets held pretty steady at 44 to 46 percent. This year it dropped by six points down to 38 percent. Nevertheless, though, around two-thirds of respondents said their security budgets would increase or stay the same.
Also found by the survey was the fact that even as projects were cut or deferred, executives preferred to keep the scalpel close to the skin. Approximately 47 percent of organizations reported that they would need to reduce budgets for at least some projects deemed “important” that require capital expenditures. But broken down 19 percent of respondents said they’d reduce targeted project budgets by under 10 percent, another 16 percent of respondents said the reduction would equal between 10 percent and 19 percent, and just 12 percent of respondents said the reductions would be by 20 percent or more.
Across the board, whether organizations faced security cuts or not, respondents reported that the economic environment is making it harder to protect organizations. Approximately 52 percent of respondents said that the increased risk environment has elevated the role and importance of the security function, 43 percent said risks to company data have increased due to layoffs and 42 percent reported that because their suppliers have been weakened by the downturn, they face additional risks.
Even as the pressure has mounted, though, many organizations have stepped up to the plate to perform. Between this year and last, polled organizations have made a 7 percentage point gain in the regular conducting of compliance testing, a 6 percentage point gain in employing risk-based authentication and an 8 percentage point gain in the deployment of security event correlation software.
From the CIO and CSO perspective, Lobel says the lesson from the most recent survey is that even though its not a revenue-producing activity in most cases, security can add great value to an organization and that they need to find opportunities to add value with each expenditure.
“From the VAR’s perspective, I’d say the takeaway is that security is a space to be looking at for customers, especially with things that have some sort of ROI,” he says. “There’s definitely pressure to show value for all of this investment we’ve been making; look at those additional value protection mechanisms and potentially even one or two value creation mechanisms, like an externally facing identity management that helps give a better customer experience versus your (client’s) competitors.”