Since January, I’ve spent a lot of time interviewing IT executives for a benchmark research report on Security and Information Protection. The statistical analysis of the results of this research shows some interesting trends.

It’s been a long time coming, but the indications are that security and information protection are finally getting the mind-share they merit, based on the only metric that really matters: Cash on the barrelhead. In other words, when it comes to investing in security and information protection, companies are finally putting their money where their mouths are.

Security budgets have increased 21% from a median of 3.9% of overall IT budget in 2005 to a median of 4.7% in 2006, with 13.8% of interview participants spending 10% or more of their IT budgets on security. Interestingly, the smallest companies (revenues less than $100 million) and the largest (revenues more than $10 billion) spent the most.

But the numbers alone don’t tell the whole story. In 2005 we advised companies they should be spending minimally 5%, and ideally 7% to 8% of their IT budgets on security, in order to address new compliance challenges and mitigate a growing universe of threats.

So the really big news here is that it’s happened — companies are investing seriously in security.

Why the shift? In a nutshell, it’s because of the impact of high-profile breaches (particularly privacy-related ones) over the past 12 to 18 months.