PCI Security Adoption Lags as IT Budgets Shift: Gartner
Payment Card Industry data security standards may be a hot topic, but a recent survey by IT research firm Gartner found that 18 percent of respondents admitted to not being PCI-compliant, even though the survey data suggested that they should be. The survey of 383 IT managers found trends in buying behaviors and permitted predictions of future security spending.
Last year, 55 percent of those surveyed said their budgets would stay the same for next year; however, this year, only 30 percent confirmed this. Furthermore, 33 percent of respondents expected growth in their budgets, with 22 percent expecting a 5 percent or more IT budget increase, compared with 20 percent last year, meaning there has been a slight increase in the overall spending for security. This is despite the fact that 15 percent of this year's respondents said they expect a budget decrease; last year, 9 percent predicted a decrease in their overall IT budget.
"Given that many of the technology providers in the security market target their products and help with PCI-related compliance initiatives, it came as something of a surprise that such a high percentage of survey respondents said that they were not PCI-compliant," said Lawrence Pingree, research director at Gartner. "Technology and service providers should continue to market their ability to help solve customer issues with compliance for the PCI security standards. End-user organizations must also work to address the awareness of their PCI security standards compliance status, so that their employees know whether or not they are compliant with the PCI standards."
This year, the IT security budget planners who anticipate an increase are expecting a fairly significant increase in their security budget allocations over last year. Last year's budget expectations were for a 6 percent share of the total IT budget expenditure to be allocated to the security function. In this year's survey, that allocation has increased to a mean of 10.5 percent, an increase of over 4 percent. This means that roughly 10 cents of every IT dollar allocated will be spent on IT security, the report found.
Gartner found that the dominant spending this year was on personnel, which is similar to last year; however, this year, allocation is down slightly from 35 to 32 percent. Consulting services and outsourcing services are also both lower from last year's numbers, with a significant consulting decrease from 14 percent last year to 11 percent this year, and outsourcing dropped from 18 percent last year to 11 percent this year.
Budgetary increases this year came in both hardware and software spending, with hardware up from 18 percent last year to 22 percent this year, and software up from 20 percent to 22 percent as organizations continue to deploy products to address heightened security issues based on recent press and large-company data breaches.
When asked about the top security projects for 2011, respondents put data-loss prevention (DLP) at the top of their lists with user provisioning and event management coming in second, and security information and event management (SIEM) coming in third on the priority list. Intrusion detection, network access control, application security, and IT governance, risk and compliance management (GRCM) tools also rank high on the list.
"This new focus on data-loss prevention is critical when considering the dynamic nature of cloud environments and trends to virtualize application workloads," Pingree said. "This will be considerably important in order to support the attachment of business policy controls to data types as the dynamic nature of data movement within application workloads is sought."