IT Security Budgets Return Focus to Complex Projects

Complex identity management, data leak prevention and other projects tied to business initiatives are back on the menu for many IT security organizations in 2010, Gartner found. Still, security has dropped off slightly as an overall portion of the IT budget, and those looking to cut spending even further can do so in several key ways.

Enterprises are getting back to business-driven security initiatives after putting off some large-scale projects last year, according to the Gartner analyst firm.

While security spending tied to "keeping the bad guys out" was not heavily affected by the economy, many IT security organizations scaled back on capital-intensive projects in 2009, Gartner found. This year, however, security spending tied to efforts such as complex identity and access management (IAM) and data loss prevention (DLP) projects are beginning to reappear as many businesses unfreeze budgets.

In its 2010 CIO Survey, Gartner found 20 percent of organizations declared IAM the top security priority. More than 40 percent of organizations named intrusion prevention systems, patch management, DLP, antivirus and identity management among the top five security priorities for 2010. Spending is also set to continue for priorities such as supporting guest networking, secure wireless LANs and employee teleworking.

Interestingly, this change is actually coinciding with a drop off in security's share of the IT budget from six to five percent of the total, and Gartner believes efficient enterprises will be able to safely cut security's piece of their overall IT budget by 3 to 6 percent of their overall IT budgets through 2011.

"What we say in the presentation is that organizations that have matured their security programs are likely to move towards operationalization or re-operationalization of some of their security functions," Gartner analyst Victor Wheatman told eWEEK. "That is, the chunka-chunka types of things like monitoring firewalls, updating patches and signature files and the like can be moved from the security area into infrastructure operations, networking or even outsourced to a managed security services provider who takes over those functions at lower operational and capital expenditure costs and ideally providing higher levels of security."

"Not only does this reduce the official security budget," he continued, "but it can cut overhead because one console and one operator may replace several...other efficiencies including the consolidation of functions: what were separate firewalls and intrusion detection systems are now next-generation firewalls which do those two things and more...and we've seen some organizations save money using open source or commercialized products based on open-source technologies."

"Finally, in order to save money, organizations start to wake up to the fact that some platforms and operating systems contain security elements that are -in the box' but are not deployed," he added. "They may not have been deemed -good enough' but they may be OK, particularly in a pinch. A simple example off the top would be using password-protected zip files rather than buying a separate encryption product for occasional use."

North American companies led security spending in 2009, averaging 5.5 percent of IT budgets, compared to five percent in Asia/Pacific and slightly more than four percent in Europe, Gartner found.