The Cambridge, Mass.-based research firm interviewed nearly 1,000 firms for its State Of Enterprise IT Security: 2008-2009 report and found, among other things, that the security portion of IT budgets is expected to rise 12.6 percent in 2009, up from 7.2 percent in 2007 and 11.7 percent in 2008.
"Even during challenging economic conditions, IT security remains an integral part of business operations as firms look to maintain their current environment as well as plans for the implementation of new initiatives," wrote Forrester analyst Jonathan Penn, the report's chief author. In a follow-up interview, he told CSOonline that companies still aren't looking at security as a business enabler. But they now understand that it's at least better to take steps to prevent attacks than to do nothing.
"Security is getting a bigger slice of the IT pie, with the focus less on reactive vulnerability defenses and more on looking at what's necessary to protect the business," Penn said. "More often than not, the focus is on protecting the data itself."
Spending not up for all
CSOonline conducted its own poll on the subject and found, not surprisingly, security professionals who see a different picture in their own environments.
A security officer who manages IT security operations for a county government on the east coast said he has faced tough budget choices.
"As with all other state/local governments, we are directly impacted by the housing decline, unemployment and a decrease in state funding," said the security officer, who asked to remain anonymous because he isn't authorized to speak to the press. "Because of this, revenue decreases for next fiscal year (beginning in July) are estimated at between 10-25 percent."
His choice was either to cut staff from an already lean team or decrease operating expenses. He decided to reduce existing spending, largely on the technology front.
Zach Lanier, senior network security analyst at Harvard Business School, said overall, security spending at his organization will be down, mainly because it has completed initiatives that started and closed in 2008. Costs for those projects in 2009 will be mostly operational expenditures, he said.
"We're not immune to the economy's poor performance. While Harvard Business School has traditionally been a big spender, the current conditions have caused us to think twice just in case," he added. "I would be inclined to add that it's also caused my organization to think twice about different ways of tackling problems."
For example, he said, the organization has turned to "high-performance" commercial products to get it to that "85 percent" and filled in the rest with free and open source tools. "Also," he said, "we've stepped back a bit and looked at processes and procedures and how those can be improved rather than just throwing money at a vendor."
Security not linked to economy
Others confirm their organizations' plans reflect Forrester's findings. In these cases, security is an ongoing necessity unaffected by economic peaks and valleys.
"In the government, pressures caused by data losses has prompted more spending," said a UK-based IT security specialist who requested anonymity because he isn't authorized to speak to the press.
According to the Forrester report, firms are devoting 11.7 percent of their company's IT operating budget to IT security in 2008 compared with 7.2 percent in 2007, and they plan to continue nudging up IT security budgets in 2009 to 12.6 percent of the IT operating budget. Allocation of budget for new security initiatives mirrors this trend, going from 17.7 percent in 2008 to 18.5 percent in 2009, Penn said.
"There has been a clear and significant shift from what was the widely recognized state of security just a few years Ago," the report notes. "Protecting the organization's information assets is the top issue facing security programs: data security (90 percent) is most often cited as an important or very important issue for IT security organizations, followed by application security (86 percent), and business continuity/disaster recovery (84 percent)."
Meanwhile, the report said, areas like threat management (81 percent) and regulatory compliance (80 percent) are cited less frequently. Data security also tops the list of business objectives for security, with 89 percent citing protection of corporate data and 87 percent citing protection of personal data as important or very important business objectives.
When security budgets aren't measured
In some cases, it's hard to figure out how far up or down spending is because the company in question doesn't have a specific line item for security.
"Most companies I have worked with don't even measure any type of security budget," said Nalneesh Gaur, chief information security architect and principal at Diamond Management & Technology Consultants Inc. in the Dallas/Fort Worth area. "As a consultant, I get involved with companies where something bad has happened like getting hacked. With getting hacked as the driver, I often see a surge in priority for security where the company will spend a lot of money."
The trick is if they can sustain the program after the first year, he said.