Security behavior and buying trends for 2012

PCI data security standards may be a hot topic, but a recent survey by Gartner found that 18 percent of respondents admitted to not being PCI-compliant, even though the survey data suggested that they should be.

Gartner conducted a series of kiosk-based surveys between June and September of this year at Gartner’s annual IT Security Summits and Catalyst events in North America and its Security & Risk Summit in EMEA. The surveys of 383 IT managers found trends in buying behaviors and permitted predictions of future security spending.

“Given that many of the technology providers in the security market target their products and help with PCI-related compliance initiatives, it came as something of a surprise that such a high percentage of survey respondents said that they were not PCI-compliant,” said Lawrence Pingree, research director at Gartner.

“Technology and service providers should continue to market their ability to help solve customer issues with compliance for the PCI security standards. End-user organizations must also work to address the awareness of their PCI security standards compliance status, so that their employees know whether or not they are compliant with the PCI standards,” he added.

Mr. Pingree said that change is the key theme to the budget survey. Last year, 55 percent of those surveyed said their budgets would stay the same for next year; however, this year only 30 percent confirmed this.

Furthermore, 33 percent of respondents expected growth in their budgets, with 22 percent expecting a 5 percent or more IT budget increase compared with 20 percent last year, meaning there has been a slight increase in the overall spending for security. This is despite the fact that 15 percent of this year’s respondents said they expect a budget decrease; last year 9 percent predicted a decrease in their overall IT budget.

This year, the IT security budget planners who are expecting an increase are expecting a fairly significant increase in their security budget allocations over last year. Last year’s budget expectations were for a 6 percent share of the total IT budget expenditure to be allocated to the security function.

In this year’s survey, that allocation has increased to a mean of 10.5 percent, an increase of over 4 percent. This means that roughly 10 cents of every IT dollar allocated will be spent on IT security.

Gartner found that the dominant spending this year was on personnel, which is similar to last year; however, this year allocation is down slightly from 35 to 32 percent. Consulting services and outsourcing services are also both lower from last year’s numbers, with a significant consulting decrease from 14 percent last year to 11 percent this year, and outsourcing dropped from 18 percent last year to 11 percent this year.

Budgetary increases this year came in both hardware and software spending, with hardware up from 18 percent last year to 22 percent this year, and software up from 20 percent to 22 percent as organizations continue to deploy products to address heightened security issues based on recent press and large-company data breaches.

Mr. Pingree said that enterprises are planning on reducing resources to administer the security technologies they have added to their portfolios this year by leveraging better initial integration or through reduced ongoing external consulting. They will most likely do this by utilizing increased automation in many security products and working to make their internal security workflows more efficient, lowering demand for overall human resources or consulting costs.

When asked about the top security projects for 2011, respondents put data loss prevention (DLP) at the top of their list with user provisioning and event management coming in second and security information and event management (SIEM) coming in third on the priority list. Intrusion detection, network access control, application security, and IT governance, risk and compliance management (GRCM) tools also rank high up on the list.

“This new focus on data-loss prevention is critical when considering the dynamic nature of cloud environments and trends to virtualize application workloads,” said Mr. Pingree. “This will be considerably important in order to support the attachment of business policy controls to data types as the dynamic nature of data movement within application workloads is sought.”