IT security spending: A budget drain or a necessary drag?
By Benjamin Cher August 26, 2016
- IT security spending needs to be more disciplined and has to be reined in
- Analysts forecast continued growth on IT security spending, vendors disagree
IT security spending seems to be ballooning, with various research firms forecasting continued increases up to 2020. But IT budgets are finite and are unlikely to expand infinitely to meet this demand.
So how does one reconcile these two opposing forces?
What is needed is fiscal discipline, according to Chris Richter, senior vice president of Global Security Services at Level 3 Communications, who proposes that IT security be moved into a completely different budget.
“If you’ve got a billion-dollar IT budget, security may be 20% of it – but even with a US$200-million budget for security, if you run out of money, you can’t go anywhere.
“So you have to be far more disciplined,” he told Digital News Asia (DNA) in Singapore.
One reason why security spending is spiralling out of control could be due to chief information officers (CIOs) looking to buy the next great technology that is being touted as able to solve all their security problems, Richter suggested.
“There are really promising solutions out there, but they are very, very expensive,” he said.
“You may get that new technology and think you’ll sleep better at night, but once you get it in and install it, it doesn’t work the way you want it to.
“Then you’ve got to hire people to manage the new stuff you bought – but you can’t find them because the security industry has a negative employment rate, where there are more positions than people to fill them,” he added.
Matt Alderman (pic), vice president of Global Strategy at Tenable Network Security, does not believe that spending has gone out of control.
“The challenge is that security is tied to the IT budget, and if you look at the percentage spent on security, it is only three to five percent of the IT budget,” told DNA in Singapore.
“And I see studies that would tend to take us in the direction that we will eventually spend less on security,” he added.
That is because companies are unlikely to keep throwing money at the problem if they cannot get good results.
“I don’t think we are getting the results we want out of security, and I’m not sure we’ll see that momentum forever – we are already seeing some of those cutbacks this year already,” said Alderman.
On the other hand … analysts
Gartner forecasts that IT security spending will hit US$81.6 billion in 2016, despite the fact that overall IT spending is expected to be flat.
“The overall information security market is forecast to grow at a compound annual growth rate (CAGR) of 8.1% through to 2020 to touch US$111 billion, with stable demand across security technologies and services,” Gartner principal research analyst Sid Deshpande (pic) told DNA via email.
CIOs would need to demonstrate a return on investment (ROI) in IT security spending.
“Large enterprises spend anywhere between 5% and 20% of their total IT budget on security today, depending on the current maturity of their security programme and their overall proclivity to digital business,” said Deshpande.
“While security spending is growing at a healthy rate, many security leaders are challenged in terms of demonstrating ROI on their security investments.
“It is critical for CISOs (chief information security officers) and security leaders to link their security budget items to business metrics and indicators in order to communicate the value of their security,” he added.
Charles Lim (pic), industry principal of the Cyber Security Practice and Digital Transformation at Frost & Sullivan, however believes that the reality might not fit forecasts.
“The recommended budget to spend on IT security is about 10% of the overall annual budget – however, we understand that most are spending around 5%, and some barely even 3%,” he told DNA via email.
Only if an incident occurs would they consider increasing their security budgets, he added.
Lim said that organisations should see IT security as a business enabler rather than just a line item on their budgets, and suggested that more education was needed to instill this idea with the decision-makers.
“While it is difficult to justify ROI on security spend, organisations should look at it from the possible loss they have from downtime; the fines they may have to pay to the authorities if they suffer a breach; the reputational loss that could affect investments; and consumer distrust in the products and services they offer,” he added.
The need to juggle shrinking budgets with security is leading to some of these functions being outsourced, according to Level 3 Communications’ Richter (pic).
“You can get a lot of advantage by outsourcing to service providers, because then you don’t have to hire as many people,” he said.
“Remember back when data centres used to be in our buildings along with the telephone switchboards? All that got outsourced.
“IT and security is following the same path – it doesn’t make sense to do it all ourselves, which only drives up the cost,” he added.
Rahul Mathur, Asia Pacific head of enterprise business at Tata Communications, concurred, suggesting that businesses find partners rather than do it internally.
“CIOs are increasingly looking at cost-optimum solutions that can keep their data secure and the company’s reputation intact,” he told DNA via email.
“One way of managing this complex environment is to remotely host security services instead of building extensive internal capabilities.
“Partnering with a specialist in cybersecurity is going to be the most effective alternative to internal upkeep, not only from an operations standpoint but also from a competence point of view,” he added.
Flat worldwide IT spending in 2016, some growth in Malaysia and Singapore: Gartner
When it comes to security, screw the ROI and just do it!
Security spending to exceed US$37bil in 2016: Ovum
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.