One thing information security managers will likely need to do less of in 2015 is justify spending on security controls to their chief information officer (CIO).
Last year’s high-profile attacks on companies such as Home Depot and JPMorgan Chase have made information security a top spending priority for CIOs for the second straight year.
In a survey conducted by investment bank Piper Jaffray, 75 percent of CIOs said they expected to increase spending on information security in 2015. That number is significantly higher than the 59 percent of CIOs who said the same thing in last year’s survey, and it reflects some of the nervousness caused by the slew of major data compromises last year.
“CIOs clearly have heightened concerns from the many security breaches that occurred in 2014, resulting in an inflection in overall security spending,” the report noted.
Nearly 90 percent of the CIOs surveyed said their top investment priority for this year is network security controls such as firewalls. Some 80 percent pointed to endpoint security as their biggest concern and said they will focus on investing in it in 2015. Some other prioritized areas CIOs expected to spend more money on this year are compliance, Web application security and security incident and event management tools. Close to 40 percent of the CIOs surveyed expected to leverage managed services for their security needs this year.
CIO concerns over cloud security appear to have been heightened by last year’s breaches, with 35 percent of respondents citing it as the primary reason for not migrating their applications to the cloud (compared to the 31 percent who said the same thing last year).
Benefits of Increased CIO Awareness
CIOs’ increased willingness to spend on information security is a good thing for enterprise security managers who are long-accustomed to fighting for their budgets. This is the second time in two years that CIOs have made security a top priority over investments in other areas, such as enterprise mobility, storage and server technologies.
However, it still may not be enough. While the heightened spending reflects growing concern over enterprise security threats, security budgets still comprise a relatively small percentage of overall IT budgets.
In its Global State of Information Security Survey 2015 last September, PricewaterhouseCoopers (PwC) noted that top enterprise executives had a similarly heightened concern over security. For instance, nearly half of all chief executive officers surveyed last year by PwC expressed concern about cyberthreats to their companies.
Despite this, security spending has not moved much in proportion to overall technology spending. The PwC survey showed that average security budgets have remained more or less stagnant at 4 percent of overall IT spending for the past five years.
In 2014, smaller companies, defined by PwC as firms with less than $100 million in revenue, actually reduced their security spending significantly compared to 2013, though medium and larger companies boosted theirs between 5 percent and 10 percent.
The PwC survey also showed that security investment increases were not uniform across all industries. In some sectors, such as health care, utilities and oil and gas, companies appeared to be willing to invest substantially more on security than companies in other industries. For instance, information security spending in the health care industry increased a huge 66 percent in 2014 amid skyrocketing financial losses from cyberincidents, the PwC survey found. At the same time, companies in the automotive, retail and aerospace and defense industries actually spent less last year on security than before.
One possible explanation for what is going on is that highly targeted security practices are helping some companies strategically optimize their information security spending.