Security budgets take hit in media, tech industry, survey finds

By Robert Westervelt, News Editor 18 May 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The economic downturn has resulted in shrinking IT budgets across industries, but a new survey from Deloitte Touche Tohmatsu indicates that media, telecommunications and technology firms are also cutting their security budgets.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The Deloitte survey of technology, media and telecommunications firms found that security budgets were cut in 2008 as those firms saw declining support from senior executives for compliance initiatives.

Thirty-two percent of respondents indicated reduced information security budgets, while 60% of respondents believe they are "falling behind" or still "catching up" to their security threats -- a significant increase from 49% over the previous year.

The survey reflects interesting differences across industries, said Irfan Saif, a principal with Deloitte's security and privacy services.

"While IT spending is also going down in financial services, security spending has not gone down," Saif said. "A lot of it has to do with regulatory landscape."

Security budgets: Virtualization security gains traction while IT budgets shrink: The SearchSecurity.com editorial team discusses virtualization security, the overcompliance mentality, PCI DSS changes, and tightening IT security budgets. Protecting data and IT assets in a recession: The Republic First Bank information security officer offers guidance on maintaining a security program in lean economic times. Changing information security plans in an economic downturn: In an economic downturn, it may be necessary to reevaluate security budgets.

Saif said industries where compliance is a bigger driver for security spending were impacted less by the economic downturn. Financial firms are bracing for increased regulatory oversight and healthcare firms recently saw tightened regulatory control with changes strengthening HIPAA, introduced as part of the recent government stimulus package.

Only 41% of respondents said they have a security metrics and reporting program in place. In addition, 57% of respondents believe senior executive support for meeting regulatory requirements is either missing or inadequately funded.

The result of the cutbacks is less innovation of security technologies, Saif said. Only 53% of respondents consider their organizations to be early adopters, or part of the early majority, down from 67% in 2007. The focus is on improving the technology already in place rather than investing in new security capabilities, he said.

"They're being more judicious of what they're spending on," Saif said. "There's a notable decline; everything from antispyware to email encryption."

SearchSecurity radio:

The declining security budgets also come amid growing concern of data leakage with the increased use of online social networking websites, such as Facebook and Twitter. The increased use of blogs, wikis and Web-based project collaboration tools also fuels fear of end users inadvertently losing customer data and intellectual property.

"CISOs are descrbing a higher risk generation of people that are more comfortable with Web 2.0 technologies integrated as part of their lives," Saif said. "This has a major impact on risk."

More than 80% of survey respondents named "exploitation of vulnerabilities in Web 2.0 technologies" and "social engineering" techniques such as pretexting and phishing as a threat to a company's information security. Companies are also less confident in their ability to deal with internal security risks. Only 28% of respondents rate themselves as "very confident" or "extremely confident" with regard to internal threats, down from 51% in 2007.

Privacy programs at many media, telecommunications and technology firms are also lacking, the survey found. Less than half of those surveyed indicated a privacy program in place. Only 44% have an executive responsible for privacy.

Tags: Security Industry Market Trends, Predictions and Forecasts,  Enterprise Risk Management: Metrics and Assessments,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Industry Market Trends, Predictions and Forecasts Hackers to sharpen malware, malicious software in 2010 Part 1: Marcus Ranum on the state of information security Part 2: Marcus Ranum on the state of information security Part 4: Marcus Ranum on the state of information security Part 3: Marcus Ranum on the state of information security Part 5: Marcus Ranum on the state of information security Layoffs prompt insider threat fears, cybersecurity survey finds Healthcare security spending remains sluggish, report shows How to use Internet security threat reports M86 buys Web security gateway vendor Finjan Security Industry Market Trends, Predictions and Forecasts Research Enterprise Risk Management: Metrics and Assessments How to justify information security spending on cloud computing Layoffs prompt insider threat fears, cybersecurity survey finds How to avoid Internet liability lawsuits Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way Bernie Rominski: Communicate Effectively with Management about Risk Best Policy and Risk Management Products Monitoring program data and internal controls for risk management Risk management strategy for an information technology solution provider Align your data protection efforts with GRC The basics of enterprise GRC project management Enterprise Risk Management: Metrics and Assessments Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary backscatter body scanning  (SearchSecurity.com) marketecture  (SearchSecurity.com) NCSA  (SearchSecurity.com) Palladium  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary