Turns out enterprises will be spending more on security after all.

According to a new report released today by Heavy Reading Enterprise, organizations of all sizes will increase spending for security products and services over the next two years: 66 percent of respondents from both large- and medium-sized companies and 55 percent of small companies. These findings are in sharp contrast to vendor and analyst warnings of late that security spending is slowing. (See Symantec Signals More M&A.)

Around 200 organizations participating in the Heavy Reading Enterprise survey, which was conducted in May, are broken into large companies with revenues of over $500 million and/or more than 1,000 employees; medium-sized with $50 million to $500 million in revenues and 100-1,000 employees; and small companies, with less than $50 million and under 100 employees.

And 10 percent of large companies plan to increase spending by 25 percent or more, while 8 percent of medium companies and 9 percent of small companies plan to do so. 29 percent of large companies and 28 percent of medium-sized ones say their spending will remain flat, and 43 percent of small companies will keep their spending status quo.

So what's driving this security spending spree? "Security is not settling down. There are more and more security incidents every day, spam, spoofs, or loss of sensitive data," says Robert Lerner, senior analyst for Heavy Reading. "Organizations are looking to fill in a lot of security gaps and trying to build an enterprise-wide security system."

Lerner says these organizations are looking to purchase threat management (23 percent), identity management (23 percent), encryption/key management (21 percent), compliance management (21 percent), vulnerability assessment (21 percent), intrusion prevention (21 percent), and security monitoring (20 percent) products. "We didn't drill down on this, but this probably has to do with the many losses of sensitive data and regulatory requirements like HIPPA pressuring companies to better protect their data," Lerner says.

Antivirus and firewalls were at the bottom of the shopping list (fewer than 5 percent plan to buy either) because most organizations already have these products in place, he says. The Heavy Reading Enterprise report also revealed that organizations don't have much interest in biometrics or source-code analysis tools right now; 64 percent say they have no intention deploying biometrics nor source-code analysis (43 percent).

What they do want, according to the survey, is interoperability among different vendors' security products, as well as ease of use, and to consolidate their number of separate products and vendors. Interoperability was at the top of the list, with over 80 percent. In a seemingly contradictory response, just under 75 percent want solutions with a broad range of features; however, more than 75 percent also want single-purpose products.

Lerner says this discrepancy between wanting products with multiple features versus those with a specific need has to do with the broad range of threats companies face these days, as well as the reality that no one product can do it all. "They want to manage these threats more easily and effectively but also want to limit the number of products they have to implement and support," he says. "And the reality is they have to deal with a number of vendors, which is where their desire for interoperability comes in."

And because most organizations already have made heavy security investments, scrapping these for a broader solution isn't so simple, he says.

Customers may have a specific need for virus protection or threat management, he says. If you look at their desire for a broad range of features, interoperability and integrated products, it all points to companies wanting something bigger that solves more security problems and is easier to use. They may want a big solution, but all they need is to fill a specific gap, so they must purchase that AV or threat assessment package, he says. "In an ideal world, implementing technologies from a handful of vendors would be great if the products were interoperable," he says. "Another way of looking at this is, while they want the advantages of broader solutions and interoperable products, they are going to plug holes where needed and control the resources they are expending on security."

Companies are not going with a single-vendor security architecture, either; less than 20 percent plan to do so. "They were lukewarm over integrated solutions," he says. About 47 percent of large organizations say integration is important, as do 56 percent of small companies, he says. "They are not planning to standardize on a specific vendor's [integrated] solution," Lerner says. "They may not be looking to make a large investment that an integrated suite may entail."

Support for security standards, meanwhile, was big among large organizations (83 percent), which are likely ahead of smaller companies (67 percent) in the adoption of these technologies, such as Java and .NET, Lerner says. "Such products are easier to support and easier to replace, not to mention the fact that they can limit vendor lock-in."

And when it comes to choosing their vendors, enterprises like to go with what they know. Experience in the security market and reputation are top factors for choosing vendors; over 80 percent and under 80 percent, respectively, according to the survey. At the top of the list of perceived market leaders in security were Cisco (80 percent), with Symantec, VeriSign, and McAfee close behind, and then RSA (under 45 percent), Trend Micro, CheckPoint, IBM, and CA, all at around 40 percent.

But the biggest surprise was how closely ranked security newcomers Microsoft and Oracle fared, with under 30 percent and 20 percent, respectively, and how they beat out other security firms, including Enterasys, Arbor Networks, and StillSecure. Lerner says it's brand recognition, for sure: "This suggests that a highly visible vendor coming in can threaten the dynamics of the market." And Microsoft is the biggest threat with its OneCare line that is likely to give Symantec, McAfee, and others a run for their money, he says. "OneCare opens up the consumer and small business market," and the added security in Vista will also threaten other security vendors.

"The market still offers a lot of growth opportunity. We're going to continue to see mergers and acquisitions among smaller vendors" to beef up their offerings, he says.

The Future of Network & Information Security: A Heavy Reading Enterprise Survey is published in PDF format and costs $4,995. The price includes an enterprise license covering all of the employees at the purchaser's company. Purchasers of the report also gain access to the full survey results, for targeted analysis in a searchable database. The online database allows for segmentation of results by a range of factors, including service provider type, geographic location, and respondent job title.

For more information, or to request a free executive summary, contact:

Dave Williams
Sales Director, Heavy Reading
858-485-8870
[email protected]

— Kelly Jackson Higgins, Senior Editor, Dark Reading