A top research firm predicts that IT security spending will remain steady through 2011 with identity management as the top focus, but also suggests that CIOs still don't rank security projects among their high-priority initiatives.
Stamford, Conn.-based Gartner Inc. will announce Thursday that during the next 12 months, it expects that enterprises will spend approximately 5% of their total IT budgets on information security technology. While that percentage is down slightly from 6% last year, Gartner forecasts that overall IT budgets will increase by nearly 2%, meaning security spending will largely hold its ground.
Gartner this week is previewing its latest security spending data -- compiled via a host of recent research efforts -- in advance of its Security and Risk Management Summit, which takes place near Washington D.C. June 21-23.
Gartner Managing Vice President Vic Wheatman said that few enterprises are considering out-of-the-ordinary security technologies during the upcoming spending cycle, but implementations that had been put on hold during the recession will come to fruition.
"In some ways, companies had to sort of coast a little bit during the economic slowdown and run the risk of leaving themselves vulnerable," Wheatman said. "I think there's a bit of catching up going on, plus market consolidation and new functionality has created a better value proposition in areas like intrusion prevention and strong authentication."
Identity management was ranked as the No. 1 security technology priority among respondents in Gartner's 2010 CIO Survey, with more than 20% listing it as a spending priority. Wheatman said the interest in identity management is tied to several trends: increased focus on the integration of self-service applications, both internally and to trusted external partners; the need to ensure strong authentication for systems that provide sensitive data; and the necessity of passing compliance audits.
Wheatman also said the interest in identity management may be driven in part by the growing concern among enterprises about the advanced persistent threat (APT): malicious domestic and foreign entities that covertly gain access to enterprise networks and data through hard-to-detect means, such as stolen usernames and passwords. In many cases they simply log in, seemingly as legitimate users, without anyone ever knowing.
"APT certainly creates problems, with [attackers] getting inside the network and roaming around, gaining access and basically gaming the system," Wheatman said. "It's about preventing everything from ID theft to intellectual property theft."
Other near-term security project priorities, according to Gartner's data, include data loss prevention (DLP), antivirus and antimalware (changing vendors or adding new capabilities), firewalls and intrusion prevention (IPS).
However, according to Gartner, enterprise security projects often lag behind other IT areas. In its most recent survey to determine how enterprise CIOs prioritize their IT projects, security technology projects came in ninth, behind up-and-coming technologies like virtualization, cloud computing, Web 2.0 and mobile technologies, among others.
It's a trend that disturbs Mark Kadrich, president and CEO of The Security Consortium, a San Jose, Calif.-based security product research and consulting firm. He said security spending may be holding steady, but the threat landscape isn't.
"Networks have gotten more complex, threats have gotten more complex, and clearly the capabilities of professional attackers have increased over the past year," Kadrich said. "My concern is this treading water… spending the same amount as last year, and hoping they attack someone else."
Kadrich said too many companies push ahead with new security technology purchases not only without making the most of their existing security products, but also without considering how new technology will integrate with legacy infrastructure.
Gartner also noted that the average enterprise spends $525 per employee on security, but certain industries average much more. Wheatman said large insurance companies average $886 per employee, professional services $836, government entities $671, and financial services $637.