Post-September 11 spending windfall never happened

More than three out of four security professionals think their organizations need to increase security investments, a recent SearchSecurity survey found.

More than three out of four security professionals think their organizations need to increase security investments, a recent SearchSecurity.com survey found.

This number is perhaps not surprising. Which IT person would say their department needs less money?

The state of IT security: A SearchSecurity.com research report

For more information:

"Security spending may be up, but does that mean more security?"

"Security Decisions: TCO model prioritizes security in the enterprise"



See these other news exclusives based on original SearchSecurity.com research:

"Disaster recovery is hot; biometrics are not"

"Solid security policies help mitigate disasters"

Feedback on this story? Send your comments to News Writer Edward Hurley

Recently, executives have said publicly that security is a priority, but it's unclear how that talk has translated into dollars being spent. In some cases, the poor economy has even driven security spending down as total budgets are slashed.

For management, spending on security can be hard to justify. Unlike buying a database or a new server that allows something to be done, security makes sure certain things don't happen.

"Most executives can only see the cost of any security solution," said Chris Willman, a project manager at New Jersey-based ISP Dandy Connections, Inc. "They think nothing of purchasing large amounts of liability insurance, yet they do not see a security solution as being the exact same thing."

Willman saw his security budget go down. "Our management is only looking at the bottom line and ignoring the risks involved with a breach, even though we are doing everything we can to inform management of the risks involved with our vulnerable points," he said.

Ted Frohling, network systems analyst, principal with the security incident response team at University of Arizona, has also seen his budget cut. The biggest hurdle for getting more money for security is there hasn't been a big enough security incident to scare the upper administration yet, he said.

Yet security pros need to shoulder some of the blame. Part of their jobs is teaching management why security is important by translating it into language management understands. Security people are "not accustomed to selling their necessities, making businesses cases" to management, said Elizabeth Rowland, CIO of a bank affiliate in South America.

Some security folks would like more cash for devices and other security products. Others would like to see more money for staffing and for end-user educations.

"Our staff cannot understand why John Smith cannot have a password of jsmith for his Internet access account," Willman said. "They simply don't realize that any weakness in any user's account is a possible vulnerability and therefore can affect the entire network."

More spending, however, doesn't necessarily translate into making a company more secure. "Current spending levels are not a problem," said Lee Beachy, vice president, information technology and security at Laconia Savings Bank in New Hampshire. "The biggest obstacles are the cultural changes that assimilating better security (and privacy and contingency) practices require."

Beachy has tried to increase the emphasis on security by adding staff, investing in testing and auditing and "more thorough vetting of technology vendors."

Dig deeper on Government IT Security Management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close