Data security now 10% of IT operating budgets, Forrester says

IT security budgets are on the rise, reflecting growing concern over data breaches and increasing CEO involvement in the task of protecting sensitive data, Forrester Research analysts say.

Ten percent of IT operating budgets is devoted to security in 2008, an increase from 8% last year, a Forrester study released Thursday revealed. In a survey of 1,255 security decision-makers at North American companies, 21% expect to increase IT security spending in 2009, compared with 6% who expect security spending to decrease. The rest will keep their security budgets stable. Those are impressive numbers in this economy, analyst Khalid Kark said in a keynote during Forrester's Security Forum in Boston.

"I remember when the security budget was less than 4% of the IT budget," Kark said. "This number is amazing. In this tough economic time, three out of four of us are saying we're going to keep this 10% budget and one in five of us are saying we're going to increase this budget in the next 12 months. Wow, that's great."

If there is a downside for security-minded IT professionals, it's that more money brings greater scrutiny. More red tape, processes and approvals are needed to justify purchases of even relatively minor security products, Kark said. (Compare security products.) An organization-wide focus on security also brings higher expectations, and sometimes conflicting expectations from the various departments in a business.

But IT security pros are enjoying greater influence with business executives. Security has been the top priority for CIOs in Forrester surveys for four straight years, and 30% of security decision-makers surveyed report having a "dotted-line relationship" with the board or CEO. Another 19% report having such direct links to the executive committee.

"We've all been frustrated in making the case for information security, getting [the business executives] to buy in. But I think times have changed," Kark said. "I remember the time when I had to wait two weeks to get a meeting with the CIO, let alone the CEO."

Kark attributes this change in attitude partly to data breaches and resulting media coverage and lawsuits that focus public scrutiny on information security. But the shift has also occurred because IT professionals have spent years arguing that security deserves greater attention, and CEOs are starting to get it, he said.

The challenges of security are numerous, and include protecting customer information and corporate intellectual property while developing disaster recovery capabilities, Kark said. Businesses must also decide whether it's appropriate to merge IT security with physical security. While that convergence makes sense in some cases, in other businesses the two types of security are operated so differently that a convergence creates more problems than it solves, Kark said.