Tom Kemp's Centrify Blog

Recent Surveys Point to Fairly Positive Signs for Security Spending

Tuesday, April 28, 2009

I recently came across three security spending surveys that, for the most part, point to positive signs for the security software market during this recessionary calendar year. All three point to security being among the most "mission-critical" (i.e. "must have") area of all of software and IT spending, with identity and access management being one of the most important areas within security given compliance requirements and concerns regarding who has access to sensitive data.

The first one, from Forrester was quoted heavily in Microsoft's various RSA press announcements and stated that companies will devote 12.6 percent of IT budgets to security in 2009, up from 7.2 percent in 2007 (Source: "The State of Enterprise IT Security 2008-2009," Forrester Research Inc., December 2008). That's a 75% increase, so unless IT budgets were to be cut in a draconian manner, it represents a net increase of security spending.

The second one, sponsored by CA, said that 42% of IT managers will increase their security spend this year, 50% will keep it flat, while only 8% will decrease. So that survey weighs in with a "growth" vote. You can see the press release on this survey here.

The third survey that I saw recently is Goldman Sachs' annual security spending survey. Published on April 15, it finds that security spending will decrease in 2009 by 1.6% compared to a 9% in overall decline in IT spending and a 5% decline in software spending. (Note I previously blogged about the 2008 edition and the 2007 edition of this report here and here). So a bit more pessimistic compared to the other surveys, but it still represents basic flatness, and as one VC said recently in a San Jose Mercury article that "flat is the new up." One potential silver lining in the Goldman Sachs report is that 2010 spending will increase by 2.9% compared to expectations of a 1% decline in overall IT spending in 2010. The report was based on an interview of 50 Fortune 1000 IT execs.

Goldman Sachs in the report notes that the "pace of data creation, and mobility of that data, continues to increase" is what is keeping up CISOs up at night, and that "the need to secure data at rest and [in] flight is only growing in importance." The report then says that the top four spending priorities — mobile security, identity and access management, data loss prevention and endpoint security — "speak to this theme." Below is the table from the report showing the top intends to spend within security (source: Goldman Sachs Security Spending Survey, April 15, 2009, page 16):


Goldman Sachs Security Spending Survey Exhibit 14

[Good news for Centrify is that identity and access management is one of the two top intends to spend :-) ]

The final last major bit of information that I got out of the Goldman Sachs report was the survey results on the biggest drivers of an organizations IT security spending. Not surprisingly, the biggest "stick" was compliance, which is what we have found to be the biggest driver of our solution as well. Here are the results, showing compliance, external threats and internal threats being the top three respectively (source: Goldman Sachs Security Spending Survey, April 15, 2009, page 19):


Goldman Sachs Security Spending Survey Exhibit 19

[Side notes: I have blogged on the issue of internal threats in my various blog posts on superuser privilege management, and have also blogged about specific compliance regulations such as PCI and FISMA. I will give my thoughts on external threats in future blog posts.]

Net net: two recent surveys show an increase in security spending in 2009, and the other one describes flatness in 2009 with an increase next year. But the theme of security being considered by customers as a "must have" during a recession are consistent amongst the three. I will keep my eye out for other security spending analysis and will blog about them if/when I see them.

< Previous Article: Integrating Your MIT Kerberos Realm with Active Directory
> Next Article: Interop Road Show Simulcast - May 6th