In a survey of almost 10,000 executives and IT directors, accountancy firm PwC says that global security budgets fell by four percent year-on-year in 2014, despite also finding that the reported number of security incidents had risen 48 percent to 42.8 million – the equivalent of almost 120,000 attacks each day.
Detailing its findings in the ‘The Global State of Information Security' report, the firm estimates that global information security budgets fell by four percent year-on-year, and admitted that this was a surprise considering research outfit Gartner has forecast that security spending will rise 7.9 percent to £44 billion (US$ 71 billion) this year.
It added that security spending remained consistent at just under four percent of total IT spending, a sign perhaps that most CISOs are still reporting to the CIO.
“Information security is a risk issue, not an IT issue,” said cyber security attorney Lisa Sotto in the report. “Information security should be a distinct function, with a separate governance structure and a separate budget so that appropriate resources are given to information security.
“Having CISOs report to the head of IT is a vestige (of earlier practices).”
Phil Cracknell, CISO and director for the security and privacy service at consultancy Company85, agreed adding in an email to SC: "I think the apparent decline in budget for security, combined with the list of high-level security activities that the board don't take part in proves that information security is predominantly reporting into IT and IT budgets are dropping due to cloud and software as a service.
"If security reported anywhere other than IT is wouldn't be sucked into this decline. It can only spell danger for businesses as attacks increase and threats grow more prolific.”
Nonetheless, the report provides no obvious reason for the fall; it says that it could be down to heavy investments in 2012 (where security spending rose 40 percent YoY) equalling natural slowdown, or a reluctance to increase spending during small economy recovery. Fernando Camarotti, CISO of global metals and mining company Vale, added in the report more targeted security practises has resulted in organisations looking to ‘strategically optimise spending'.
More encouragingly, the report noted that employee security awareness training (contrary to other studies) was the top spending priority for the next eight months (27 percent), followed by account provisioning/de-provisioning (24 percent) and behavioural profiling and monitoring. Others intended to spend on smartphone encryption, DLP, mobile malware protection, SIEM and incident management response.
Paul Vlissidis is director of .trust at security consultancy NCC Group and doesn't believe that spending has dropped at all, such is the continuing correspondence between IT security and the CEO.
"We at NCC Group have not seen any evidence of reduced spend amongst businesses of any size. In fact the opposite is true, with cyber security awareness taking a more prominent position at board level,” he told SCMagazineUK.com.
The firm's CEO Rob Cotton added that it is possible security spending is entwined in other areas of business.
“Traditional information security and risk management are only a few areas of security. It has become more pervasive and is now embedded within numerous business functions, processes and operations, meaning spending is often taken from multiple budgets in a de-centralised fashion without being itemised as cyber security,” he told SC.
“Therefore, one possible reason for PwC's conclusion in this research is that some expenditure is lost within external (cloud) services. Another reason may be that some spending is now being used for brand protection, for example since the roll-out of new gTLDs, and so is part of a different budget.”
Meanwhile, Good Technology VP and general manager Phil Barnett believes that it may be a case of money being positioned elsewhere.
“More forward-thinking companies are grappling with the new business reality head on and reducing costs through aggressive BYOD and cloud storage solutions, and reducing dependency on fully-managed PC operations. This enables them to increase spend not just on technical security solutions but also the education of the employees which is equally vital.”