Money is still tight for security, but chief information security officers (CISOs) plan to pump more funds into application networking/security and in preventing data loss, according to a new survey conducted by Merrill Lynch.

Don't expect any drastic changes in security budgets over the next 12 to 18 months. Survey respondents will increase overall security spending by about 4 percent over the next 12 to 18 months, which was about the same increase they said in a September survey by Merrill Lynch. In addition, 62 percent of the around 50 North American IT executives surveyed by Merrill Lynch in the survey said they expect security spending to increase over this same time period.

Interestingly, more than half of the respondents said they increased their security budget since the beginning of this year, and only 10 percent said they had cut their budget. Nearly 40 percent said their budgets had remained the same. (Most of the respondents are from large enterprises: Two thirds are from firms with over 10,0000 employees.)

So how does security stack up with other IT spending? The survey found that the proportion of security to overall IT budgets increased slightly, from an average of 5.5 percent in September to an average of 5.9 percent in December. And the biggest driver for changes in security budgets remains regulatory requirements (28 percent), although 32 percent answered "not applicable/unsure." 18 percent attributed it to new project approvals.

At the top of the list of security spending priorities was endpoint security/NAC, with a 5.1 percent increase in spending over the next 12 to 18 months; application networking/security, with 3.4 percent; and intrusion detection/prevention, with 3.2 percent. Data loss got the highest ranking as the most promising new security technology, with 40 percent, but that was a decrease from 62 percent in September.

And security as a service is on their radar screens: 42 percent said they are more likely to consider security as a service these days, with 30 percent of these respondents leaning toward IDS/IPS services, 24 percent for anti-spam, and another 24 percent for vulnerability management services. Of the 28 percent who said they wouldn't consider security services, 32 percent cited trust concerns, and 27 percent said the ROI benefits aren't clear enough for such a change.

Staff constraints (24 percent) and budget constraints/cost savings were the main reasons for respondents who said they would consider security services.

— Kelly Jackson Higgins, Senior Editor, Dark Reading