Payment Card Industry data
security standards may be a hot topic, but a recent survey by IT research firm
Gartner found that 18 percent of respondents admitted to not being
PCI-compliant, even though the survey data suggested that they should be. The
survey of 383 IT managers found trends in buying behaviors and permitted
predictions of future security spending.
Last year, 55 percent of
those surveyed said their budgets would stay the same for next year; however,
this year, only 30 percent confirmed this. Furthermore, 33 percent of
respondents expected growth in their budgets, with 22 percent expecting a 5
percent or more IT budget increase, compared with 20 percent last year, meaning
there has been a slight increase in the overall spending for security. This is
despite the fact that 15 percent of this year’s respondents said they expect a
budget decrease; last year, 9 percent predicted a decrease in their overall IT
budget.
"Given that many of the
technology providers in the security market target their products and help with
PCI-related compliance initiatives, it came as something of a surprise that
such a high percentage of survey respondents said that they were not
PCI-compliant," said Lawrence Pingree, research director at Gartner. "Technology
and service providers should continue to market their ability to help solve
customer issues with compliance for the PCI security standards. End-user
organizations must also work to address the awareness of their PCI security
standards compliance status, so that their employees know whether or not they
are compliant with the PCI standards."
This year, the IT security budget
planners who anticipate an increase are expecting a fairly significant increase
in their security budget allocations over last year. Last year’s budget
expectations were for a 6 percent share of the total IT budget expenditure to
be allocated to the security function. In this year’s survey, that allocation
has increased to a mean of 10.5 percent, an increase of over 4 percent. This means
that roughly 10 cents of every IT dollar allocated will be spent on IT
security, the report found.
Gartner found that the
dominant spending this year was on personnel, which is similar to last year;
however, this year, allocation is down slightly from 35 to 32 percent.
Consulting services and outsourcing services are also both lower from last
year’s numbers, with a significant consulting decrease from 14 percent last
year to 11 percent this year, and outsourcing dropped from 18 percent last year
to 11 percent this year.
Budgetary increases this
year came in both hardware and software spending, with hardware up from 18
percent last year to 22 percent this year, and software up from 20 percent to
22 percent as organizations continue to deploy products to address heightened
security issues based on recent press and large-company data breaches.
When asked about the top
security projects for 2011, respondents put data-loss prevention (DLP) at the
top of their lists with user provisioning and event management coming in second,
and security information and event management (SIEM) coming in third on the
priority list. Intrusion detection, network access control, application
security, and IT governance, risk and compliance management (GRCM) tools also
rank high on the list.
"This new focus on
data-loss prevention is critical when considering the dynamic nature of cloud
environments and trends to virtualize application workloads," Pingree
said. "This will be considerably important in order to support the attachment
of business policy controls to data types as the dynamic nature of data
movement within application workloads is sought."