Analyst firm Gartner projects that worldwide spending on IT security products and services will grow 7 percent, year over year, to reach a total of US $86.4 billion in 2017.
Historically, organizations have had a tough time allocating security expense budgets because:
- The concept of security was vague and unclear
- There is no methodology to assess the exact requirement and the resultant benefits, thus creating difficulty in establishing a sound business case
- No regulatory compulsion
- The evolution of technology, and its associated threats and digital perils, were slower.
In addition, in the absence of established norms on security spending metrics, many organizations adopted a magical figure of 4% of the total IT budget as the acceptable to spend on information.
Later, in line with the changing times, ISACA rightly clarified that security is a business enabler, and any spend on it needs to be monitored as an investment in line with the tenets of IT governance.
Now, with the current technological tsunami and the accelerated business initiatives struggling to keep pace, on top of regulatory pressure, information security – unsurprisingly – has become the number one priority. Gartner analysis further substantiates this by emphasizing the facts and figures through its analysis. The firm’s significant points include:
- More opportunity for security startups for offering specialist B2B services
- Growing demand for application security testing
- Growth in interactive application security testing projected through 2021
- The fastest-growing segment will be security services, especially IT outsourcing, consulting and implementation services
- The European Union’s General Data Protection Regulation, which is due to come into force in May 2018, projected to drive 65 percent of data loss prevention buying decisions through 2018
- A big rise in the bundling of security services and broader IT outsourcing (ITO) projects, with managed security service (MSS), to rise from 20 percent currently to 40 percent by 2020
- Organizations should be doubling down on “basic security and risk-related hygiene elements,” such as threat-centric vulnerability management, centralized log management, internal network segmentation, backups and system hardening.
All in all, this is a great news for the security profession. However, why should any organization spend millions of dollars on anything without a solid cost justification? Security costs, like any other costs, should be justified, for after all, more funding does not necessarily mean better security.
Investments in security controls do not directly contribute to revenue, but they prevent losses and safeguard reputation. Hence, security professionals should be able to help their organizations by using suitable security ROI metrics to choose the most economical and technically acceptable solution.
This will surely set in motion a strong, win-win relationship between the security profession and business leaders for the coming years, and establish security practitioners as a trustworthy partner to clients worldwide.
Ravikumar Ramachandran, CISA, CISM, CGEIT, CRISC, CISSP-ISSAP, SSCP, CAP, PMP, CIA, CRMA, CFE, FCMA, CFA, CEH, ECSA, CHFI, COBIT-5 Implementer, Certified COBIT Assessor, ITIL-Expert, Account Security Officer, DXC Technology, India
[ISACA Now Blog]