More than three out of four security professionals think their organizations need to increase security investments, a recent SearchSecurity.com survey found.
This number is perhaps not surprising. Which IT person would say their department needs less money?
Recently, executives have said publicly that security is a priority, but it's unclear how that talk has translated into dollars being spent. In some cases, the poor economy has even driven security spending down as total budgets are slashed.
For management, spending on security can be hard to justify. Unlike buying a database or a new server that allows something to be done, security makes sure certain things don't happen.
"Most executives can only see the cost of any security solution," said Chris Willman, a project manager at New Jersey-based ISP Dandy Connections, Inc. "They think nothing of purchasing large amounts of liability insurance, yet they do not see a security solution as being the exact same thing."
Willman saw his security budget go down. "Our management is only looking at the bottom line and ignoring the risks involved with a breach, even though we are doing everything we can to inform management of the risks involved with our vulnerable points," he said.
Ted Frohling, network systems analyst, principal with the security incident response team at University of Arizona, has also seen his budget cut. The biggest hurdle for getting more money for security is there hasn't been a big enough security incident to scare the upper administration yet, he said.Yet security pros need to shoulder some of the blame. Part of their jobs is teaching management why security is important by translating it into language management understands. Security people are "not accustomed to selling their necessities, making businesses cases" to management, said Elizabeth Rowland, CIO of a bank affiliate in South America.
Some security folks would like more cash for devices and other security products. Others would like to see more money for staffing and for end-user educations.
"Our staff cannot understand why John Smith cannot have a password of jsmith for his Internet access account," Willman said. "They simply don't realize that any weakness in any user's account is a possible vulnerability and therefore can affect the entire network."
More spending, however, doesn't necessarily translate into making a company more secure. "Current spending levels are not a problem," said Lee Beachy, vice president, information technology and security at Laconia Savings Bank in New Hampshire. "The biggest obstacles are the cultural changes that assimilating better security (and privacy and contingency) practices require."
Beachy has tried to increase the emphasis on security by adding staff, investing in testing and auditing and "more thorough vetting of technology vendors."