Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Despite Economy, Security Spending To Increase In 2009

Data protection, identity management to get increasing attention in new year's budgets, Forrester says

Despite a troubled economy, both large and small enterprises are poised to spend a higher percentage of their IT budgets on security in 2009, a major research firm said today.

According to new reports on IT security trends in large enterprises and small and midsize businesses (SMBs) released today by Forrester Research, the pressure to cut back on IT spending is not slowing the trend toward increased security spending.

"Security is getting a larger slice of the IT budget pie," says Forrester analyst Jonathan Penn in the enterprise study. "Firms are devoting 11.7 percent of their company's IT operating budget to IT security in 2008 -- contrasted with 7.2 percent in 2007 -- and plan to continue nudging up IT security budgets in 2009 to 12.6 percent of the IT operating budget." Security will also account for a higher percentage of budget allocations for new initiatives this year, going from 17.7 percent in 2008 to 18.5 percent in 2009, the report says.

Similar increases are expected in smaller companies, Penn says in the SMB report. "SMBs devoted 9.1 percent of their companies' IT operating budget to IT security in 2008 -- down from 9.4 percent in 2007 -- but they have plans to bring IT security budgets back up to 10.1 percent in 2009," the report says. "Allocation of budget for new initiatives mirrors this trend, with security going from 14.9 percent in 2008 to 15.9 percent in 2009. No big swings of the budget axe here."

What are the drivers behind the spending increases? "Protecting the organization's information assets is the top issue facing security programs," the enterprise report states. "Data security (90 percent) is most often cited as an "important" or "very important" issue for IT security organizations, followed by application security (86 percent) and business continuity/disaster recovery (84 percent). Meanwhile, areas like threat management (81 percent) and regulatory compliance (80 percent) are cited less frequently."

Among SMBs, data security is at the top of the list of issues deemed important (87 percent), with application security close behind (80 percent), Forrester says.

Among technologies, managed security services, data loss prevention, and identity and access management are at the top of the list to receive more attention in 2009.

"Managed security services are growing, driven by skill needs and cost savings," the enterprise report says. "The two top drivers among firms for using a managed security service provider are the demand for a specialized skill set (29 percent) and the need to reduce costs (28 percent). While email/Web content filtering is the most popular managed security service today, the greatest promise for [managed security services] growth in the coming 12 months is in vulnerability assessment and in host event log monitoring and management."

In the data security area, the top technologies that firms plan to adopt or pilot during the next 12 months include data leak prevention (21 percent), application encryption platforms (19 percent), and enterprise key management solutions (19 percent), the enterprise report states.

Identity and access management (IAM), long viewed as a technology that was too complex and expensive to do on an enterprise level, will push ahead in 2009, according to Forrester. "In a marked shift from a few years ago (and from lingering perceptions today), security is the primary motivator for identity and access management (IAM) adoption by most firms (52 percent), with less than one-quarter (22 percent) citing regulatory compliance as the primary driver," the enterprise report states.

"While firms are concerned with [IAM] products and implementation being too costly (38 percent) and too complex (30 percent), 15 to 21 percent will pilot or adopt a range of IAM technologies during the next 12 months," the report continues. "Enterprise single sign-on will see the highest absolute adoption, with 21 percent of firms planning to pilot or adopt, followed by provisioning with 19 percent." Federation and provisioning will see the most growth relative to their existing market penetration, Forrester says.

SMBs are focusing on a different range of technologies, according to Forrester. "Use of personal firewalls -- adopted by 58 percent of SMBs already -- will remain popular, and 19 percent plan to adopt or pilot a host intrusion prevention system (HIPS) in the next 12 months," the SMB report states. "But expect to see SMBs start to complement these with a range of data encryption and protection technologies: SMBs also have strong plans to pilot or adopt full disk encryption (18 percent), file-level encryption (18 percent), and endpoint application/device control (17 percent)."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-15
Null pointer dereference vulnerability exists in K11_SignWithSymKey / ssl3_ComputeRecordMACConstantTime in NSS before 3.26, which causes the TLS/SSL server using NSS to crash.
PUBLISHED: 2019-11-15
Jetty 6.x before 6.1.22 suffers from an escape sequence injection vulnerability from two different vectors: 1) "Cookie Dump Servlet" and 2) Http Content-Length header. 1) A POST request to the form at "/test/cookie/" with the "Age" parameter set to a string throws a &qu...
PUBLISHED: 2019-11-15
Perdition before 2.2 may have weak security when handling outbound connections, caused by an error in the STARTTLS IMAP and POP server. ssl_outgoing_ciphers not being applied to STARTTLS connections
PUBLISHED: 2019-11-15
ClamAV before 0.97.7 has WWPack corrupt heap memory
PUBLISHED: 2019-11-15
ClamAV before 0.97.7 has buffer overflow in the libclamav component