Focus on IT security continues to be a major issue for most organizations, and data from our most recent spending study confirms that spending on IT security remains strong in this era of cautious IT budget growth.
But first, a quick primer on Computer Economics IS spending terminology. Computer Economics surveys hundreds of organizations each year regarding IS budget trends. The survey data is used to develop our annual Information Systems Spending and Technology Trends study, which we have published each year since 1990. It is important to bear in mind the distinction we make between the terms IS (information systems) and IT (information technology). IS refers to the organization within companies that manage and support the use of technology, while IT represents the technologies themselves. Although not all IT spending is in the IS budget, in most companies the IS budget represents most of the IT spending.
Security Budget Trends
Over the past three years, IS operating budgets as a percent of revenue have declined to a median 1.7% of revenue in 2005, from 2.0% in 2003. During this same period, IT security spending has remained at a constant 3.0% of the total IS budget, as shown in Figure 1.
We attribute the decline in IS budgets as a percent of revenue to be due primarily to the strong economy over the past three years, combined with a general unwillingness of management to let IS budgets increase accordingly. In other words, IS executives continue to be under significant cost constraints. Keep in mind that, during this period, other metrics that we gather indicate that IS budgets actually increased in terms of absolute dollars. But on a percentage of revenue basis, they declined as revenues grew faster than the IS budget allocations in most organizations.
Shifting Priorities for IT Security Spending
While security spending did spike significantly after September 11, 2001 (9/11), much of that spending was the result of IS organizations “borrowing†budget dollars from other areas. The reality is that security budgets have remained at a relatively constant 3.0% of the IS budget from 2003 through 2005. At first blush, this may appear to contradict much of the industry hype around security spending increases. However the fact that security budgets have remained steady while many other IT budget line items have lost ground indicates that security is still considered a high priority.
It is also important to note that over the past several years most IS organizations have implemented preventive measures that have resulted in more cost-effective security spending today. For example, monies previously spent in hardening the corporate network against malware attacks have lessened the need to spend money on remediation of infected networks today. Therefore, the fact that security budgets have remained constant, while the costs of remediating malware attacks has dropped, indicates that many companies are now able to concentrate their security budget dollars on new capabilities designed to harden the infrastructure from other security threats such as unauthorized access, data theft, and identity theft.
The ability for organizations to shift their focus on security spending is an important factor as the nature of computer crime continues to evolve. Preliminary results from our latest security survey indicate that, while malware attacks are declining, other types of security threats such as phishing and other targeted security threats are growing.
November, 2005
Update: February, 2006. For up-to-date statistics, benchmarks, and metrics for IT security spending, staffing, technology adoption, and management best practices, please see our 2006 IT Security Study.
