In times of recession there’s always talk about where information security budgets are heading. Some of it is prompted by marketing spin, some by genuine concern and some by wishful thinking. Many people claim that security budgets are holding up, but at the same time there’s a visible slowdown in some parts of the security market. The causes of this are numerous: the result of bank mergers, restructures, cutbacks, skills shortages, revised business priorities, changes in procurement policy and project delays and cancellations.
But against this trend is a clear growth in the need for information security services, driven by increasing risks and compliance requirements, greater recognition of the importance of security by senior management and a need to correct a long-standing lack of investment in the security of legacy systems and infrastructure. On top of this we have the steady spread of sophisticated security practices to many small and medium sized enterprises who had previously managed with little more than firewalls and anti-virus software. In fact, in the absence of a recession, information security would be booming.
Making sense of the impact of these contradictory trends is not easy. Projecting ahead is even harder. Some economic trends, such as unemployment, are counter-intuitive. Experience from previous recessions shows that job losses don’t peak until long after the recession has ended. There’s more downsizing to come. The pundits vary in their degree of optimism. Bruce Schneier has been warning of the difficulty of keeping on top of security workloads that have increased due to layoffs. Gartner report that security budgets are currently flat, while the rest of IT is in a state of decline. But they project better times ahead, suggesting that new projects will be driven by regulatory compliance initiatives and areas affected by cost cutting measures. In fact it’s clear that we’re heading for a sustained battle between corporate governance demands and business reality. And at the end of day, it’s sales and cash flow forecasts that call the shots.
What will be the impact on security? The answer is bad, a major setback in fact. When Gartner talk of better times ahead they mean for vendors. Sales will eventually pick up, but in the meantime a lot of damage will have been done to information security management systems, which take years to build, but can dissolve within months through neglect. And information security today already requires a lot more investment, as we race to catch up with an accelerating threat landscape, after a much delayed start. This is a bad time to be throwing out the baby with the bathwater.