IT Security Spending Trends

Security budgets and spending are on the rise, with much of that spending going

toward in-house skills to support application security, intelligence and analytics, and

data security, among other functions, according to a new SANS survey on IT security

spending trends. The survey, conducted online in the fourth quarter of 2015,

revealed that, in general, both IT and security budgets for financial services

(including banking and insurance), technology providers, government,

education and health care are on the rise.

Spending for security skills follows respondents’ primary drivers for spending.

The top two areas of skills they are investing in include sensitive data protection

and regulatory compliance. However, their technology spending does not follow

their drivers and skills spending. For example, rather than data protection and

compliance, such as DLP and encryption, their technology spending favors

more traditional controls, such as network visibility and malware defense.

Respondents’ organizations are overwhelmingly spending their staffing

and technology dollars on in-house skills and technology, except for DDoS

protection, for which the majority is using cloud services.

Training and staffing are also the top spending areas predicted for 2016 budgets.

However, discovery and forensics, followed by end user training and awareness and

detection and response, represent respondents’ next top spending categories planned

for 2016. Compliance and audit are nearly at the bottom of the list, even though

80% of respondents consider regulatory compliance the most effective means to

justify funding their security programs.

The majority of IT security budgets are folded into operational budgets, with

only 23% wrapping security costs into a separate security cost center. However,

this trend makes it difficult to track and report on accountability for the security

budget. Only 22% of respondents benchmark their IT security spending practices,

with at least one respondent expressing dismay at the lack of metrics that

accurately quantify and justify the need for security spending. Answers to other

questions pointed to inconsistencies in how respondents ranked effectiveness of

technology versus how the technology spending was prioritized, revealing the

need for better metrics to evaluate and justify costs.


Full Report Here



Source: SANS Institute