Study: IT’s throwing money at security, not sure what it’s getting in return

Nearly a fifth of corporate IT budgets is going to security. And many IT decision-makers are expecting to spend even more in coming years. But according to a recent survey, they still don’t feel that’s enough to protect them from attacks.

A joint survey by Dell and Vanson Bourne looked at how IT is investing in security. And overall, security is taking up a sizable portion of IT’s budget: 17%, according to the survey.

And there’s more money going toward security ahead. Of 1,440 decision-makers surveyed, 68% expect to increase spending on IT security in the next year. Over the next three years, 74% expect spending to increase.

Where’s the money going?

The top areas for spending increases were:

  • employee training and education (67%)
  • cloud security (58%)
  • monitoring services (54%)
  • completing security risk assessments (53%), and
  • hardware (51%).
And the top three concerns for these survey takers reads like a list of the biggest trends of the last five years. They cited as their top concerns:
  1. increased reliance on internet-based apps (63%)
  2. more mobile technology used for work (57%), and
  3. an increased use of the cloud (49%).
All three of these ranked higher than hackers on decision-makers list of concerns.

What are they getting for the money?

From those spending patterns, it might seem like IT would be fairly confident in its abilities deal with threats. But that’s not the case, unfortunately.

Nearly three-quarters (73%) had suffered a data breach in the past year. And 40% didn’t believe the current security measures were enough to protect them against cyberattacks.

While the survey didn’t indicate whether IT pros were satisfied with their current IT spending habits, these figures could signal a less-than-optimal return on investment for security services.

Getting more for your buck

Dealing with security vendors seems like a bigger and bigger part of a lot of IT pros’ jobs these days.

To help make sure that relationship goes smoothly:

  • Evaluate carefully. When selecting vendors, make sure you’re on the same page as what counts as acceptable risk and reaction time. In the survey, 48% of respondents felt that taking action after a data breach should be done within an hour, but 68% reported that their latest breach took more than an hour to be identified.
  • Determine responsibilities. Following a breach or other incident, the last thing you want to hear is, “That’s not our role.” Make sure contracts spell out who is responsible for a range of security issues and what those responsibilities entail.
  • Read renewals carefully. When it comes time to renew a contract with a vendor, don’t assume that everything will remain exactly the same. Get any changes to your service agreement in writing. Better yet, get them to mark up the differences between your existing contract and the renewal so you can see exactly what’s different.
  • Rework the standard SLA. If something doesn’t work for you in a contract, get it taken out. Service license agreements are built to work in the vendor’s favor, but you can get them changed before you sign if you have serious issues.

Free ways to boost security

Sometimes, the best things in life are free. Unfortunately, that’s probably not true of security.

There are, however, some steps you can take to boost security a little while spending little.

  • Increase the back-and-forth with users. Getting the security message out shouldn’t be reserved for regular training or when there’s a problem. See a news story about new malware or threats? Email users, and give them two or three good security tips to protect themselves and your systems.
  • Enlist the help of other managers. Get other managers or direct supervisors to support the security message so users focus more on security as part of their jobs.
  • Tighten administrative controls. Watch carefully for suspicious activity on your network. Now’s as good a time as any to also review and make sure all former employees’ credentials have been revoked.