Putting a Price on Security

The potential danger of cutting IT security budgets is too high for most companies, but tough times call for creative measures. Here's how some companies are tackling the issue of how to save money while maintaining security.

As the economy takes body blow after body blow, companies are struggling to do more with less. When it comes to security, however, the cost of not doing enough can be immeasurable.

So, just how low can companies go?

For many companies, slashed budgets have forced a reassessment of priorities as well as some creative negotiating with vendors. But the question of how to save a buck without sacrificing security has some IT professionals both scratching and shaking their heads.

Mike Miller, director of IS at Media General, did the latter. Miller wanted to replace some of the 3-year-old monitoring and event correlation systems the company uses, but, with the capital portion of his budget dropping by about 50 percent, he will be unable to do so.

"We're running on older stuff for a little bit longer," he told eWEEK.

On the plus side, Media General's operational budget has remained steady, and, as of mid-January, the company's IT security staff has not been cut.

In the five years Miller has served in his position, the business's concerns have shifted from regulatory compliance to malware and phishing. With the economy being what it is, Miller said, there are no plans for any major implementations of new technology. These days, the company is more focused on making incremental improvements instead of broad new deployments.

Miller's story is not unique. Still, analysts say, overall security budgets have not been hit hard-yet.

"In the fourth quarter of 2008, we did not see security spending plans derailed, nor in the first two weeks of 2009," said Gartner analyst John Pescatore. "However, I think the first quarter will be tough-the natural tendency will be to delay spending to see if things get better in 2Q. Upgrading firewalls or IPS [intrusion prevention systems], for example, can usually be delayed a few months with no major impact."

A survey by Gartner put security at No. 8 on a list of the top 10 technology priorities for CIOs. Business intelligence was ranked first.

Other studies show that security occupies a larger segment of IT budgets than in past years. For example, according to a Forrester Research report titled "The State of Enterprise IT Security 2008 to 2009," security has gone from 7.2 percent of enterprise IT budgets in 2007 to 12.6 percent in 2009.

The study surveyed 942 North American and European companies of different sizes. The report lists data security as the top concern among IT security groups, with 68 percent citing it as "very important." Fifty-one percent cited business continuity and disaster recovery as "very important."

The very largest companies tend to spend the most on IT security-measured as a percentage of their IT budgets, noted Forrester analyst Jonathan Penn. These companies also tend to spend relatively heavily on staff, as a percentage of their IT security budgets. To compensate, they are slowing down or deferring security technology upgrades, said Penn.

"There are certainly companies whose IT security budgets are shrinking, and many companies face an extremely difficult climate for capital expenditures, delaying the rollout of new products," Penn said. "Overall, IT budgets are slowing but not declining. Across both SMBs [small and midsize businesses] and the enterprise, IT security budgets are gaining a greater share of the overall IT budget. In other words, IT security is slowing less than IT in general."