Isn't it funny how anyone who doesn't work in infosecurity automatically assumes that security's budget cup runneth over? Well, maybe not funny. More like, sad.
The assumption that IT security budgets are growing across the board is a myth, according to an Information Security survey of 518 senior security managers. Almost half of survey respondents said that FY 2003 cybersecurity budgets will either decrease (17 percent) or be flat (30 percent) compared to FY 2002. Another third said their budgets will increase by less than 20 percent. Only 16 percent said budgets will increase by more than 20 percent.
"We're still under very tight budget constraints in general," says Warren Axelrod, director of global information security for Pershing, a New Jersey-based financial services firm.
Any bumps in the budget will be small, says Bill Boni, CISO of electronics giant Motorola.
"We're seeing an incremental increase in our budget," Boni says. "But it's modest, and it's procured through business case analysis, not a once-a-year, 'throw all your numbers at 'em and hope you get enough to do the job right.'"
Security spending trends aren't uniform across all enterprises. Organizational dynamics such as vertical industry, size of company, regulatory requirements and corporate culture all affect budgeting. Organizations under tight security regulatory controls, for example, are spending more on security because they have no choice. And compared to large companies, small businesses are spending a much higher proportion of their IT budgets on security, partially because they remain in "ramp-up" stage (see Figure 1).
Where there is an increase in security spending, the lion's share of it will go toward new or renewed IT security products, according to the survey. Four out of 10 organizations said their budgets for products will increase in 2003. Infosecurity awareness training will also be popular, with 35 percent increasing spending in this area.
"The single most critical element to cybersecurity is to educate your population," says Thomas Madden, CISO of the Centers for Disease Control and Prevention in Atlanta.
Budgets vs. Spending
While security budgets will be mostly flat in 2003, it's important to distinguish between budgeted dollars and overall spending. Spending for some security projects is absorbed on the divisional or departmental level, and doesn't necessarily show up in the corporate information security budget.
"Overall, expenditures on security-related items are much greater," says Pershing's Axelrod. "But that's not because specific security budgets are increased. It's because we're seeing greater integration of security in the products and activities throughout the organization."
Moreover, if the overall economy improves in the second half of 2003, it's reasonable to expect that IT security spending will follow suit.
"If the economy returns to some semblance of health, general IT spending will increase, and the percentage of IT security budget should increase as a part of that," says Motorola's Boni.