News Stay informed about the latest enterprise technology news and product updates.

Post-September 11 spending windfall never happened

More than three out of four security professionals think their organizations need to increase security investments, a recent SearchSecurity survey found.

More than three out of four security professionals think their organizations need to increase security investments,...

a recent survey found.

This number is perhaps not surprising. Which IT person would say their department needs less money?

The state of IT security: A research report

For more information:

"Security spending may be up, but does that mean more security?"

"Security Decisions: TCO model prioritizes security in the enterprise"

See these other news exclusives based on original research:

"Disaster recovery is hot; biometrics are not"

"Solid security policies help mitigate disasters"

Feedback on this story? Send your comments to News Writer Edward Hurley

Recently, executives have said publicly that security is a priority, but it's unclear how that talk has translated into dollars being spent. In some cases, the poor economy has even driven security spending down as total budgets are slashed.

For management, spending on security can be hard to justify. Unlike buying a database or a new server that allows something to be done, security makes sure certain things don't happen.

"Most executives can only see the cost of any security solution," said Chris Willman, a project manager at New Jersey-based ISP Dandy Connections, Inc. "They think nothing of purchasing large amounts of liability insurance, yet they do not see a security solution as being the exact same thing."

Willman saw his security budget go down. "Our management is only looking at the bottom line and ignoring the risks involved with a breach, even though we are doing everything we can to inform management of the risks involved with our vulnerable points," he said.

Ted Frohling, network systems analyst, principal with the security incident response team at University of Arizona, has also seen his budget cut. The biggest hurdle for getting more money for security is there hasn't been a big enough security incident to scare the upper administration yet, he said.

Yet security pros need to shoulder some of the blame. Part of their jobs is teaching management why security is important by translating it into language management understands. Security people are "not accustomed to selling their necessities, making businesses cases" to management, said Elizabeth Rowland, CIO of a bank affiliate in South America.

Some security folks would like more cash for devices and other security products. Others would like to see more money for staffing and for end-user educations.

"Our staff cannot understand why John Smith cannot have a password of jsmith for his Internet access account," Willman said. "They simply don't realize that any weakness in any user's account is a possible vulnerability and therefore can affect the entire network."

More spending, however, doesn't necessarily translate into making a company more secure. "Current spending levels are not a problem," said Lee Beachy, vice president, information technology and security at Laconia Savings Bank in New Hampshire. "The biggest obstacles are the cultural changes that assimilating better security (and privacy and contingency) practices require."

Beachy has tried to increase the emphasis on security by adding staff, investing in testing and auditing and "more thorough vetting of technology vendors."

Dig Deeper on Government information security management

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.