Regulatory Issues Drive Long-Term Security Strategies, While Recent Incidents Spike Spending

December, 2003

A recent study conducted by PricewaterhouseCoopers’ Security & Privacy Solutions concluded that the top reason that organizations have increased their security spending in 2003 is to satisfy the requirements of new legislation, such as the Sarbanes-Oxley Act, versus the fear of a major security incident.

Approximately two-thirds of the senior technologists polled in the PricewaterhouseCoopers’ study said they were deploying new security measures and products in 2003 to limit their organization’s liability. Almost 50% stated they were adding new policies, products, and services to comply with recent and pending regulations, while only about one-third stated their additional security efforts were motivated by the increasing risk of a major security attack or incident.

Even though the FUD factor was viewed as less of a driving force behind IT security spending, approximately two-thirds of the PricewaterhouseCoopers’ respondents indicated that their organizations had experienced a security breach in the past year, with the most common attacks coming from either a virus or trojan horse. The technologists listed the next two most common security incidents as unauthorized computer access entries and denial-of-service attacks.

While it is clear that the long-term growth in IT security spending is being fueled by many factors, a recent survey conducted by Computer Economics indicates that a series of high-profile virus attacks can have a significant influence on the short-term security spending patterns for many organizations. Figure 1 illustrates the destructive virus attacks beginning in August of 2003 did have a major impact on the deployment of IT security products and services in many organizations.

In response to the August 2003 “Can of Worms,” is your organization acquiring additional security products and services?

  • New hardware – 12%
  • New software – 26%
  • Consulting services – 15%
  • All of the above – 32%
  • None of the above – 15%

Source: Computer Economics survey of approximately 100 IT organizations – 4Q03

December 2003