Pro: Grant Waterfall, cyber security partner, PWC
The stats from our ‘The Global State of Information Security' study show that budgets actually dropped 2013-14. Companies made big spending leaps in 2012-2013 (it increased by 40 percent) and you wouldn't expect that to be sustained, and some companies are starting to be smarter about what they spend on.
Then there's the economic side. Some companies have been waiting for economic recovery, though it's worth noting that large company budgets increased by five percent. That would probably indicate that the economic situation has hit SMBs the hardest.
But for me, it's a bit of a mixed picture. Some firms plan to spend more next year, and I think it's a case of companies being in different places.
There are also companies moving towards ‘digital disruption' to stay competitive and I am seeing those companies spending more on security, when previously it wasn't high on the agenda. However, this will hit some companies now, and others later.
The study shows increasing awareness at board level and, in many cases, this awareness is not the problem – it's translating it into action. I see the lag there as another reason for the mixed picture.
Some CISOs do a convincing job but get no new investment, and the chance is that it won't be improved for a while until a big breach hits.
Anti: Ollie Whitehouse, technical director of security consulting at NCC Group
We are seeing security budgets maturing and have seen no evidence of reduced spending on cyber-security amongst businesses of any size. Cyber-security is a complex space which is no longer solely the domain of IT departments. Mature organisations are using a mixture of training, technology and services to meet requirements around risk, governance, compliance, technical assurance and incident management.
As a result, spend in some organisations has become decentralised. Information security and risk management have become more pervasive and are now embedded within numerous business functions, processes and operations, thus spending is often taken from multiple budgets without being itemised as cyber-security.
For smaller companies, with the advent of Cyber Essentials and similar initiatives, we are seeing a move beyond businesses treating security as simply the presence of anti-virus software.
The supply chain is also coming under greater scrutiny as more businesses realise the risks posed by third party suppliers.
In general, more mature companies are also improving their ability to detect successful attacks. However, businesses rarely retain individuals able to deal with sophisticated attacks. Therefore, on top of the increase in budget for mitigation, we are also seeing an increase in spend in reactive engagement.