Security budgets and spending are on the rise, with much of that spending going
toward in-house skills to support application security, intelligence and analytics, and
data security, among other functions, according to a new SANS survey on IT security
spending trends. The survey, conducted online in the fourth quarter of 2015,
revealed that, in general, both IT and security budgets for financial services
(including banking and insurance), technology providers, government,
education and health care are on the rise.
Spending for security skills follows respondents’ primary drivers for spending.
The top two areas of skills they are investing in include sensitive data protection
and regulatory compliance. However, their technology spending does not follow
their drivers and skills spending. For example, rather than data protection and
compliance, such as DLP and encryption, their technology spending favors
more traditional controls, such as network visibility and malware defense.
Respondents’ organizations are overwhelmingly spending their staffing
and technology dollars on in-house skills and technology, except for DDoS
protection, for which the majority is using cloud services.
Training and staffing are also the top spending areas predicted for 2016 budgets.
However, discovery and forensics, followed by end user training and awareness and
detection and response, represent respondents’ next top spending categories planned
for 2016. Compliance and audit are nearly at the bottom of the list, even though
80% of respondents consider regulatory compliance the most effective means to
justify funding their security programs.
The majority of IT security budgets are folded into operational budgets, with
only 23% wrapping security costs into a separate security cost center. However,
this trend makes it difficult to track and report on accountability for the security
budget. Only 22% of respondents benchmark their IT security spending practices,
with at least one respondent expressing dismay at the lack of metrics that
accurately quantify and justify the need for security spending. Answers to other
questions pointed to inconsistencies in how respondents ranked effectiveness of
technology versus how the technology spending was prioritized, revealing the
need for better metrics to evaluate and justify costs.
Full Report Here
Source: SANS Institute