BOSTON -- Data breaches and compliance initiatives are buoying most IT security budgets, as upper level company executives are approving projects to lock down customer data and protect intellectual property.
That was the finding of an annual survey of more than 1,200 IT security decision makers at North American companies conducted by Forrester Research Inc. The amount of IT budget devoted to security has risen to 10% in 2008, an increase of 2% over last year's budget.
"Security managers are doing a better job of making their case within the organization and they're starting to see results," Khalid Kark, principal analyst at Forrester Research said in a keynote Thursday at Forrester's Security Forum 2008, where he presented the survey data.
Some industries, such as airline and auto manufacturers are trimming budgets, but overall most IT security budgets are weathering the economic downturn, Kark said. Companies have the right priorities when it comes to security. Fifty-nine percent of those surveyed said their main objective is to protect customer data, followed by protecting corporate intellectual property and sensitive internal data (54%).
There is also evidence that the security organization is gaining a much clearer connection to upper-level company executives. About 50% of CISOs report to a board, CEO or executive committee, Kark said. CISOs have also been gaining responsibility over the last decade, becoming more like chief information risk officers, he said.
"This is very different from even a couple of years ago when many of us were deeply embedded within IT," he said.
One of the toughest problems for security organizations is finding qualified people to run security programs, Kark said. IT security organizations that have people who understand both the business and technology side are faring better in the economic downturn.
Metrics are also an issue, he said. Many IT security pros are struggling to measure security improvements.
"There's a constant struggle with it because many people don't know how to translate metrics into business language," Kark said. "The security organization needs to look for an influential executive able to make the case."
To save money, some companies are choosing to outsource some security functions to service providers. Companies are also spending less on security products designed to solve only one problem, Kark said. Instead they are turning to security vendors that can solve an immediate pain point and then expand into broader areas, he said.