January 9, 2015 By Jaikumar Vijayan 3 min read

One thing information security managers will likely need to do less of in 2015 is justify spending on security controls to their chief information officer (CIO).

Last year’s high-profile attacks on companies such as Home Depot and JPMorgan Chase have made information security a top spending priority for CIOs for the second straight year.

In a survey conducted by investment bank Piper Jaffray, 75 percent of CIOs said they expected to increase spending on information security in 2015. That number is significantly higher than the 59 percent of CIOs who said the same thing in last year’s survey, and it reflects some of the nervousness caused by the slew of major data compromises last year.

“CIOs clearly have heightened concerns from the many security breaches that occurred in 2014, resulting in an inflection in overall security spending,” the report noted.

Nearly 90 percent of the CIOs surveyed said their top investment priority for this year is network security controls such as firewalls. Some 80 percent pointed to endpoint security as their biggest concern and said they will focus on investing in it in 2015. Some other prioritized areas CIOs expected to spend more money on this year are compliance, Web application security and security incident and event management tools. Close to 40 percent of the CIOs surveyed expected to leverage managed services for their security needs this year.

CIO concerns over cloud security appear to have been heightened by last year’s breaches, with 35 percent of respondents citing it as the primary reason for not migrating their applications to the cloud (compared to the 31 percent who said the same thing last year).

Benefits of Increased CIO Awareness

CIOs’ increased willingness to spend on information security is a good thing for enterprise security managers who are long-accustomed to fighting for their budgets. This is the second time in two years that CIOs have made security a top priority over investments in other areas, such as enterprise mobility, storage and server technologies.

However, it still may not be enough. While the heightened spending reflects growing concern over enterprise security threats, security budgets still comprise a relatively small percentage of overall IT budgets.

In its Global State of Information Security Survey 2015 last September, PricewaterhouseCoopers (PwC) noted that top enterprise executives had a similarly heightened concern over security. For instance, nearly half of all chief executive officers surveyed last year by PwC expressed concern about cyberthreats to their companies.

Security Spending

Despite this, security spending has not moved much in proportion to overall technology spending. The PwC survey showed that average security budgets have remained more or less stagnant at 4 percent of overall IT spending for the past five years.

In 2014, smaller companies, defined by PwC as firms with less than $100 million in revenue, actually reduced their security spending significantly compared to 2013, though medium and larger companies boosted theirs between 5 percent and 10 percent.

The PwC survey also showed that security investment increases were not uniform across all industries. In some sectors, such as health care, utilities and oil and gas, companies appeared to be willing to invest substantially more on security than companies in other industries. For instance, information security spending in the health care industry increased a huge 66 percent in 2014 amid skyrocketing financial losses from cyberincidents, the PwC survey found. At the same time, companies in the automotive, retail and aerospace and defense industries actually spent less last year on security than before.

One possible explanation for what is going on is that highly targeted security practices are helping some companies strategically optimize their information security spending.

More from

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Stealthy WailingCrab Malware misuses MQTT Messaging Protocol

14 min read - This article was made possible thanks to the hard work of writer Charlotte Hammond and contributions from Ole Villadsen and Kat Metrick. IBM X-Force researchers have been tracking developments to the WailingCrab malware family, in particular, those relating to its C2 communication mechanisms, which include misusing the Internet-of-Things (IoT) messaging protocol MQTT. WailingCrab, also known as WikiLoader, is a sophisticated, multi-component malware delivered almost exclusively by an initial access broker that X-Force tracks as Hive0133, which overlaps with TA544. WailingCrab…

Operationalize cyber risk quantification for smart security

4 min read - Organizations constantly face new tactics from cyber criminals who aim to compromise their most valuable assets. Yet despite evolving techniques, many security leaders still rely on subjective terms, such as low, medium and high, to communicate and manage cyber risk. These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage and communicate cyber risks. As a result, executives and board members remain uninformed and ill-prepared to manage organizational risk effectively.…

Pentesting vs. Pentesting as a Service: Which is better?

5 min read - In today's quickly evolving cybersecurity landscape, organizations constantly seek the most effective ways to secure their digital assets. Penetration testing (pentesting) has emerged as a leading solution for identifying potential system vulnerabilities while closing security gaps that can lead to an attack. At the same time, a newer entrant into the security arena is Pentesting as a Service (PTaaS). Although PTaaS shares some similarities with pentesting, distinct differences make them two separate solutions. This article will discuss how these methodologies…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today