A penny saved?

It’s been a tumultuous decade for IT spending. In the recession that started in late 2000, many enterprises slashed IT investments wherever they could, except for IT security, which saw many businesses increase investments. Then, following the financial and mortgage meltdown, after a few years of growth, IT budgets remained flat, while investments in security and regulatory compliance initiatives still managed to remain strong.

Today, the relative strength of IT security spending compared to other aspects of IT is starting to show its age. According to the responses to this year’s CSO/CIO/PwC Global Information Security Survey, more enterprises are deferring IT security spending and cutting costs where possible. In fact, nearly half of all of those surveyed said they trimmed security costs last year. While only a slim majority, 51%, said they will increase security spending next year.

More results and analysis from GISS 2011

• Are you an IT security leader – really?
• A dangerous gap in prevention

Additionally, capital expenditure deferrals increased by nearly 19 percent since 2009, as 51% of organizations said they are pushing expenses into the future, compared to just 43% who said the same in the previous year’s survey. For operational expenditures, the number of enterprises who deferred is up 17%, or from 40% in 2009 to 48% who said they are doing so today.

Douglas Davidson, president and CEO of security services provider Jacadis, says that they’re not seeing IT security-spending drop in their business. They are, however, seeing many more delayed projects. “Businesses have clearly lengthened their decision making processes,” says Davidson. “In the past you would have a security event, such as a virus outbreak or denial-of-service attack, and the executives would be concerned and the budget would be allocated,” he says. “Those days are gone.”

Davidson shared a recent anecdote of a customer that needed a project completed and agreed to 100% upfront payment terms: but shortly after agreeing the client came back to renegotiate the deal to be four payments across a two month period so they could get their final approval. “This was not a big project, and they are a publicly traded company,” says Davidson.

In addition to delaying security initiatives, enterprises may also be more carefully picking their spots. “In a down economy, you probably aren’t spending time re-vamping your security strategy,” says Andy Ellis, the chief security officer at Akamai Technologies. “Hopefully, they’re executing on their existing strategy in the most cost effective way possible,” he says. “Rather than spending more money, that’s my best guess as to what a lot of these respondents are doing.”

Paradoxically, uncertain economic times may not be the wisest time to pull back on security spending – as the threat landscape may grow worse. And we’ve seen a number of insider threats in recent years. Back to 2008, in our story Tough Economy Heightens Insider Threat, we see that insiders with privileged access can cause serious damage, such as the disgruntled administrator for the city of San Francisco who blocked access to a central network by resetting admin passwords and refusing to share those passwords to city officials. Then there was the systems administrator at Medco health Solutions Inc., who planted a logic bomb that could have destroyed data on 70 servers.

And, more recently, there’s been the sudden burst of hactivism – that is attacks often sparked to make a political or other statement – such as the attacks of the hacker collective Anonymous against PayPal, Visa, HBGary, and Sony.

“There is certainly a correlation between times of high unemployment and fragile relations with employees, and an increase in people doing bad things,” says Robbie Higgins, VP of security services at IT solution provider GlassHouse Technologies. “But does that make companies spend any more money on information security? Not that I’ve seen so far. It makes them aware of it. It’s not necessarily a catalyst for more the investment,” he says.