Security spending 2009: The good and bad news

Under pressure to do more with less, some IT managers are abandoning strategic security projects, knowing it will cause more trouble down the road. But with careful planning, they can win in both the short and long term.

Jon Oltsik
Jon Oltsik is a senior analyst at the Enterprise Strategy Group. He is not an employee of CNET.
Jon Oltsik
2 min read

Recent Enterprise Strategy Group data indicates that security spending should maintain its current pace in 2009. There will be spending increases in some vertical sectors, like the U.S. federal government, but overall, things should remain relatively flat.

As they say on Wall Street these days, "flat is the new up." Large organizations will continue to bolster network defenses and focus on protecting confidential and private data. Given the frightening security threat landscape, this is good news.

Unfortunately, there is a caveat here. Under constant pressure to "do more with less," some chief security officers I speak with are abandoning strategic security initiatives and replacing these projects with tactical Band-Aid solutions--the old check box mentality at work. Yes, these folks recognize that they will have to "rip and replace" point tools when the economy improves, but they are willing to face that future expense to "do something" in the short term.

Ay, ay, ay! One of the reasons why the state of information security is so bad is that it is built on a foundation of islands of point tools for protection against tactical threats. Managing these systems is an operational nightmare. What's more, most of these tools aren't integrated together, so getting a true picture of the security posture of the whole business is next to impossible, which may actually lead to additional security risks. Ironic, isn't it?

My suggestion is this: Buy tactically but think strategically. Users should look to work with vendors who can address short-term tactical needs and provide a road map to integrate these products into a more strategic enterprise security architecture over time. At the other end of the spectrum, vendors must clearly articulate this value to users and help them phase in products, determine success metrics, and provide a final strategic destination.

Perhaps this is a stretch, but I hope that users and vendors can strive for this type of harmony. Otherwise, I'm afraid both groups will suffer more than necessary.