Report: IT Security Spending Missing Mark

Despite an expected 300 percent spending increase on information technology security over the next four years, bad decision-making will leave U.S. companies almost as vulnerable to security breaches as they are today, according to a new report issued by Forrester Research.

The report, titled “Sizing the Security Market,” estimates that firms will increase security spending by 55 percent over the next two years, with total annual spending reaching $19.7 billion (US$) by 2004. However, rather than focusing on key business assets, companies will waste billions of dollars on external security spending, falling into the trap of trying to protect everything.

Internet Fears Shift Priorities

Resource shortages and time constraints are forcing companies to rely on external security services to subdue their Web-related security fears, the study found. Two-thirds of the firms in the report listed the Internet as the top reason for their increase in security spending, but more than half stated they lack the funds to implement all of the security measures they need.

“We just can’t find all the people we need, and we don’t have the money to do this internally,” one firm said.

By 2002, most companies will be decreasing the amount they spend on core system security, shifting funds to access control and incident response, the report states. Planning and management expenses will remain flat.

Spending on internal operations is expected to decrease from 57 percent to 34 percent over the next two years, with funds being reallocated to outsourced services and consulting.

Missing the Mark

As Internet crime continues to grow in the future, Forrester said, businesses will focus their security efforts on trying to hold onto customers, ignoring the more potent threats waiting to pounce from inside the company itself.

By overlooking the security vulnerabilities of their own automated business processes, Forrester said that companies put themselves at great risk.

“Cross-organizational business processes will be critical in six years,” the report states.

Security Prescription

To address these IT security deficiencies, Forrester analysts offer several courses of action that companies can begin implementing now.

The report recommends making business managers responsible for all security, including business process security. In addition, security risk assessments should be included in all business decisions, ensuring that IT security risks are evaluated on the same level as other operational risks. This process includes the building of security monitoring into Internet business practices.

“Companies have to put their own detection and escalation procedures in place now,” the report states, “and externalize them when the security industry catches up.”