Security budgets

I was interested to read a brief spot check survey of three F500 CISOs about security budget projections on Jim Reavis’ Riskbloggers site. This suggested that CISOs have yet to feel the impact of the credit meltdown on their budgets. Increases in budgets are still planned for next year but the best case scenario is that they’ll remain unchanged. That sounds about right.

Every vendor and journalist I meet these days asks me for my opinion on next year’s security budgets. It’s an interesting question. It’s often suggested that information security is recession-resistant career. That’s true. It might change its name and activities, but it will always be needed. And it’s not optional like some other corporate functions, such as marketing and brand management. But there will certainly be changes. Operational security processes will be largely unaffected in the short term, but we can expect non-urgent IT and security investments to be postponed. And there will be fewer banks, which means fewer staff and less external spending.

But demand might also increase in some areas. Mergers in the financial sector will create new demands for security architecture, identity management and testing to support integration activities.  Business risk management will be taken more seriously. Regulatory compliance demands will increase. There will be more organisational reviews. And headcount reductions might push up external consultancy spending. There will be more demand for Software-as-a-Service security products that can cope better with variable user demand.     

The main thing to remember is that most security spending reflects trends in risks and incidents, rather than in the state of the economy. And all projections are that cybercrime and major data breaches will increase. So don’t expect a complete meltdown in security budgets.