The economic downturn has resulted in shrinking IT budgets across industries, but a new survey from Deloitte Touche Tohmatsu indicates that media, telecommunications and technology firms are also cutting their security budgets.
The Deloitte survey of technology, media and telecommunications firms found that security budgets were cut in 2008 as those firms saw declining support from senior executives for compliance initiatives.
Thirty-two percent of respondents indicated reduced information security budgets, while 60% of respondents believe they are "falling behind" or still "catching up" to their security threats -- a significant increase from 49% over the previous year.
The survey reflects interesting differences across industries, said Irfan Saif, a principal with Deloitte's security and privacy services.
"While IT spending is also going down in financial services, security spending has not gone down," Saif said. "A lot of it has to do with regulatory landscape."
Virtualization security gains traction while IT budgets shrink: The SearchSecurity.com editorial team discusses virtualization security, the overcompliance mentality, PCI DSS changes, and tightening IT security budgets.
Protecting data and IT assets in a recession: The Republic First Bank information security officer offers guidance on maintaining a security program in lean economic times.
Changing information security plans in an economic downturn: In an economic downturn, it may be necessary to reevaluate security budgets.
Saif said industries where compliance is a bigger driver for security spending were impacted less by the economic downturn. Financial firms are bracing for increased regulatory oversight and healthcare firms recently saw tightened regulatory control with changes strengthening HIPAA, introduced as part of the recent government stimulus package.
Only 41% of respondents said they have a security metrics and reporting program in place. In addition, 57% of respondents believe senior executive support for meeting regulatory requirements is either missing or inadequately funded.
The result of the cutbacks is less innovation of security technologies, Saif said. Only 53% of respondents consider their organizations to be early adopters, or part of the early majority, down from 67% in 2007. The focus is on improving the technology already in place rather than investing in new security capabilities, he said.
"They're being more judicious of what they're spending on," Saif said. "There's a notable decline; everything from antispyware to email encryption."
The declining security budgets also come amid growing concern of data leakage with the increased use of online social networking websites, such as Facebook and Twitter. The increased use of blogs, wikis and Web-based project collaboration tools also fuels fear of end users inadvertently losing customer data and intellectual property.
"CISOs are descrbing a higher risk generation of people that are more comfortable with Web 2.0 technologies integrated as part of their lives," Saif said. "This has a major impact on risk."
More than 80% of survey respondents named "exploitation of vulnerabilities in Web 2.0 technologies" and "social engineering" techniques such as pretexting and phishing as a threat to a company's information security. Companies are also less confident in their ability to deal with internal security risks. Only 28% of respondents rate themselves as "very confident" or "extremely confident" with regard to internal threats, down from 51% in 2007.
Privacy programs at many media, telecommunications and technology firms are also lacking, the survey found. Less than half of those surveyed indicated a privacy program in place. Only 44% have an executive responsible for privacy.