Security budgets take hit in media, tech industry, survey finds

By Robert Westervelt, News Editor 18 May 2009 | SearchSecurity.com

Security UK News Digg This!     StumbleUpon     Del.icio.us

The economic downturn has resulted in shrinking IT budgets across industries, but a new survey from Deloitte Touche Tohmatsu indicates that media, telecommunications and technology firms are also cutting their security budgets.

The Deloitte survey of technology, media and telecommunications firms found that security budgets were cut in 2008 as those firms saw declining support from senior executives for compliance initiatives.

Thirty-two percent of respondents indicated reduced information security budgets, while 60% of respondents believe they are "falling behind" or still "catching up" to their security threats -- a significant increase from 49% over the previous year.

The survey reflects interesting differences across industries, said Irfan Saif, a principal with Deloitte's security and privacy services.

"While IT spending is also going down in financial services, security spending has not gone down," Saif said. "A lot of it has to do with regulatory landscape."

Saif said industries where compliance is a bigger driver for security spending were impacted less by the economic downturn. Financial firms are bracing for increased regulatory oversight and healthcare firms recently saw tightened regulatory control with changes strengthening HIPAA, introduced as part of the recent government stimulus package.

Only 41% of respondents said they have a security metrics and reporting program in place. In addition, 57% of respondents believe senior executive support for meeting regulatory requirements is either missing or inadequately funded.

The result of the cutbacks is less innovation of security technologies, Saif said. Only 53% of respondents consider their organizations to be early adopters, or part of the early majority, down from 67% in 2007. The focus is on improving the technology already in place rather than investing in new security capabilities, he said.

"They're being more judicious of what they're spending on," Saif said. "There's a notable decline; everything from antispyware to email encryption."

The declining security budgets also come amid growing concern of data leakage with the increased use of online social networking websites, such as Facebook and Twitter. The increased use of blogs, wikis and Web-based project collaboration tools also fuels fear of end users inadvertently losing customer data and intellectual property.

"CISOs are descrbing a higher risk generation of people that are more comfortable with Web 2.0 technologies integrated as part of their lives," Saif said. "This has a major impact on risk."

More than 80% of survey respondents named "exploitation of vulnerabilities in Web 2.0 technologies" and "social engineering" techniques such as pretexting and phishing as a threat to a company's information security. Companies are also less confident in their ability to deal with internal security risks. Only 28% of respondents rate themselves as "very confident" or "extremely confident" with regard to internal threats, down from 51% in 2007.

Privacy programs at many media, telecommunications and technology firms are also lacking, the survey found. Less than half of those surveyed indicated a privacy program in place. Only 44% have an executive responsible for privacy.

Tags: Compliance Regulation and Standard Requirements,  Security Policies and User Awareness,  Information Security Risk Assessment: Methodology and Analysis,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Compliance Regulation and Standard Requirements PCI DSS requirements still baffling as compliance deadline approaches Make PCI DSS compliance easier by reducing scope, outsourcing data Cloud computing compliance: Exploring data security in the cloud Encryption basics: How asymmetric and symmetric encryption works SIEM systems streamline compliance processes, offer security benefits No major PCI DSS revision expected in 2010 PCI QSAs, certifications to get new scrutiny Tips to achieve PCI compliance PCI DSS requirements: Get ready for stricter enforcement, fines Data Protection Act breach could cost companies 500,000 pounds Security Policies and User Awareness Cloud-based services require stalwart business continuity plans Preventing phishing attacks: Enterprise best practices CISOs take measured steps to reduce social media risks Increasing information security awareness in the enterprise How to develop a culture of security in the enterprise Creating and enforcing a clear-desk policy Physical security threats: Don't gift your data away Cut down on calls to help desk with cybersecurity awareness training Layoffs prompt insider threat fears, cybersecurity survey finds How to write an information security policy Information Security Risk Assessment: Methodology and Analysis Improving software with the Building Security in Maturity Model (BSIMM) Encryption basics: How asymmetric and symmetric encryption works Getting the most out of the gap analysis process Jericho Forum to provide customers with good security questions to ask A guide to internal and external network security auditing Insider threat detection still a challenge for employers Get more out of your security event log data Secure cloud computing: a contradiction in terms? Report: U.K. lags in information security management practices Aligning network security with business priorities

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Basel II  (SearchSecurityUK.com) Code of Connection (CoCo)  (SearchSecurityUK.com) EU Data Protection Directive  (SearchSecurityUK.com) Financial Services Authority  (SearchSecurityUK.com) IFRS (International Financial Reporting Standards)  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary