RealTime IT News

Security Pros Cut Spending on Known Threats

The bottom line trumps clear security concerns at some companies, according to a survey of security professionals and C-level executives just released by the RSA Conference.

For example, even though 72 percent of those who responded to the survey said they've seen a rise in e-mail-borne malware and phishing , eight percent said they plan on cutting funds that would previously have been earmarked to try and deal with those risks.

Mobile security also lacked less than a full commitment. Some 40 percent of survey responders said securing lost or stolen devices (BlackBerrys, iPhones, etc.) is a top concern for the coming year, but 15 percent said they would be reducing spending designed to ensure the safety of mobile devices.

Budgetary concerns were top of mind in the survey results. Budgetary constraints were cited by 57 percent of respondents asked to list the top organizational and security challenges they expect to face in the next 12 months. Forty-four percent cited employee education as a major concern followed by lost or stolen devices at 40 percent.

No clear winner emerged in response to the question of what technology investments were likely to be bypassed or curtailed in the coming year. Security related to Telelcom/VoIP, applications, authentication, encryption and key management and DDoS solutions all were came in at or near twenty percent. Endpoint security and mobile encryption/wireless security both came in at 15 percent. Messaging security trailed at only eight percent.

The results were a surprise to Andreas Antonopoulos, senior vice president and founding partner of Nemertes Research.

"I was surprised by the fact people are cutting security budgets because our research shows mostly flat spending in security, which is bad enough, but cutting in areas where there are big problems like phishing and spamming … I'm not sure people are spending money in the right areas," Antonopoulos told InternetNews.com.

"I think the really difficult thing in security is to show ROI, return on investment or security as a cost center, because there is no ROI. A lot of the side effects of lax security are buried in lost user productivity or in the help desk. Something like slow or crashing PCs, for example, are impossible to measure or justify budget increases for, but these are the kind of mundane security problems that need to be addressed," he added.

"If you have to rebuild ten percent of your company's laptops three times a year, that cost in lost productivity really adds up. It's the kind of death by a thousand paper cuts that isn't always addressed."

Overblown threats?

Survey results were part of a just-published study called "What Security Issues Are You Currently Facing?" The RSA Conference said the report "includes responses from nearly 150 C-level executives and professionals charged with directing, managing and engineering security infrastructures within their respective organizations." The survey was taken the first two weeks of this month.

Participants were asked about some of the recent high profile phishing attacks that targeted Facebook and Twitter users. Although these attacks received extensive media coverage, only a small number in the survey, three percent, said they were seriously affected.

Most (84 percent) said they allow the use of these social media tools. Seventy-three percent said they weren't affected at all and twenty-four percent indicated they were somewhat affected.