Research Predicts Security Spending Slowdown

Despite recent scandals, a new survey of CISOs conducted by Merrill Lynch finds that IT executives plan to reduce spending during the second half of 2006.

Even as high-profile data leaks grab headlines and compliance auditors begin making their rounds, many chief information security officers are preparing to trim their budgets.

According to a new survey of North American CISOs released by New York-based investment bankers Merrill Lynch & Co., enterprises are hoping to throttle down their spending on new IT security technologies over the second half of 2006.

On average, the IT security executives interviewed by Merrill Lynch said they only plan to increase spending by 2.9 percent over the next 12-18 months, whereas CISOs had indicated plans to increase spending by 11.4 percent when the survey was last conducted in March 2006.

The number of survey respondents who said they spent less than 5 percent of their budgets on security products over the last quarter increased from 40 percent at the end of first quarter 2006 to 56 percent at the close of May.

The number of CISOs who spent 6 percent or more of their budgets on security decreased from 60 percent to 44 percent at the end of the first quarter 2006. Product release cycles could have weighed significantly on those results, the Merrill Lynch report conceded.

Among the trends driving the reduced spending on IT security is the growing inclusion of defensive features built into technologies such as network equipment and Microsofts next-generation Windows Vista operating system.

However, while 7 percent of those surveyed for the report said they hope to eliminate the need for stand-alone security products altogether by using on such tools, only 16 percent said they actually plan to buy fewer products, with 22 percent holding out for price concessions from vendors before making additional purchases.

As a result, existing vendors have little reason to fear being replaced by security features on other products anytime soon, Merrill Lynch said. The report indicates that many companies are not yet ready to trust vendors such as Microsoft to protect their own products, contrary to some industry watchers assertions.

/zimages/3/28571.gifClick here to read more about mixed reactions to Microsofts new built-in Windows security measures.

"We believe [the findings] mitigate long-standing concerns that security vendors will ultimately go away or be absorbed by larger infrastructure vendors," wrote Ed Maguire, the Merrill Lynch analyst who authored the report. "[The] key will be for vendors to anticipate new security needs with extended or newer offerings."

However, the report said some types of security applications, such as anti-virus software, firewalls and VPNs, will become increasingly commoditized, putting pressure on stand-alone vendors of the technologies as demand decreases.

One of the areas of IT security that the report found to be the most in demand among CISOs was the so-called extrusion prevention sector, which encompasses products that aim to stem network data leakage. Other segments of the security market expected to be strong include the endpoint security space, or technologies used to lock down information on devices such as laptops, and strong authentication, which involves more sophisticated user access control tools, the report said.

/zimages/3/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

The research also contends that CISOs continue to up their status in the decision-making process, finding that the authority to buy security technologies was almost evenly split between top-level executives and dedicated security staffers at the companies interviewed.

Bob Egner, vice president of product management at Pointsec Mobile Technologies, which markets software used to encrypt data on desktops, laptops and mobile devices, said demand for the companys applications is not slowing, but rather becoming more consistent.

"Whereas in years past, even in 2005, companies were coming to us with money that they had left over from other projects, now the spending on endpoint security is becoming something that is being budgeted at the beginning of the quarter, or the year," Egner said. "We see more people trying to keep their names out of the headlines before the big events happen, in addition to those who have already had problems."

Pointsecs revenues back up Egners assertion that security spending is actually growing inside of enterprises IT budgeting plans. The Lisle, Ill., company reported a 56 percent year-over sales increase for fourth quarter 2005, and claims it is on track to significantly improve on all of its quarterly revenues in 2006, compared to last calendar year.

"The awareness of spending for the type of technology we provide is escalating to the CEO level," Egner said. "Thats helping to drive more consistent demand, as the technology is seen as a strategic investment rather than being applied as an afterthought."

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.