IT Security Spending to Rebound in 2003
New regulatory standards such as HIPAA and GLBA aren’t expected to drive IT security spending
The final numbers aren’t in, but analysts and security firms are anxious to put a disappointing 2002 behind them even as they look forward to what they say will be a more successful 2003. Over the coming year, Industry watchers expect that IT security spending will increase as firms implement postponed projects and allocate new funding for deferred purchases of security products and services.
Despite all expectations, 2002 was a very flat year for IT security spending. It wasn’t supposed to turn out that way: After all, market research firm Dataquest opened the year by predicting a torrid 18 percent growth rate, spurred in part by the tragedy of September 11th. By June, however, consultancy Vista Research found that spending would increase by a mere 3 percent.
According to Bruce Murphy, CEO of security consulting and managed services provider Vigilinx, in the aftermath of September 11th, many corporate IT customers actually shifted their emphasis away from logical security—i.e., hardening their infrastructures against attack from both within and without—and instead allocated more funding for physical security. “A lot of the dollars that had been allocated to risk management and protection were instead donated to gates, guns and guards and away from logical security protection. In the logical security world, 9/11 has been more hype than reality.”
When clients did spend money in 2002, they more often than not allocated it to point solutions, such as anti-virus software or firewalls. Spending on more costly pro-active measures, such as vulnerability assessments and security event analyses, was largely curtailed.
Murphy and other consultants acknowledge that 2002 was a flat year, but say that in a climate of diminished expectations, even flat growth, was something to celebrate. “Security has always followed and mirrored the overall IT spending. Most of the dollars for security come out of those budgets, so as IT spending goes, so goes security.”
Greg Shipley, chief technology officer with security consultancy Neohapsis Inc., agrees. “From my sense, IT security spending weathered the storm [in 2002]. A lot of our clients decreased IT budgets, but sometimes stabilized and increased information security products.” Shipley says that Neohapsis bucked the trend and experienced solid growth in 2002.
For his part, Andrew Baker, former director of Internet operations for educational testing service Princeton Review Inc., says that security has always been a tough sell to management. In the context of the current recession, he acknowledges, it’s gotten even more difficult: “During the 2002 budget planning cycle, I lost about 40 percent of my intended budget which would have been allocated to security, as the organization cited the economy.”
Paradoxically, says Baker, who left his position with Princeton Review during the second half of 2002, it has become more difficult for many IT departments to obtain funding for security-related purchases or initiatives since 9/11. “[Security is] probably the hardest area to get funding for right now, as 9/11 had a far more positive impact on Disaster Recovery funding than on Security.”
Most market research firms have predicted a recovery in IT security spending in 2003 and beyond. Vista Research, for example, projects that spending for security products and services will grow by 11 percent this year and by an additional 18 percent in 2004. According to Dataquest, the market for security services will continue to grow through 2006, nearly doubling in size from 2001.
Security consultants such as Dan McCall, executive vice president with managed security services (MSS) provider Guardent, say that in 2003, IT security spending will be greatest in specific vertical markets, including such stalwarts as financial services and government, but also, as a result of 9/11, utilities. “Large utilities, where we haven’t traditionally been doing a ton of work, it looks like they’re now taking [security] very seriously and my guess is that in 2003 they’re going to get the budgets to actually do something.”
McCall is particularly encouraged by research data from Dataquest and International Data Corp. (IDC), which show a rapid pace of growth for MSS. IDC, for example, found that the worldwide market for MSS will grow to just over $6 billion by 2005.
In addition to MSS, which are expected to see encouraging growth in 2003, industry watchers expect that IT organizations will continue to spend on point solutions, but will undertake more costly projects as well. Says Murphy: “They’ll be spending on security intelligence, on vulnerability information. I think they’ll be spending on security compliance and benchmarking. I think they’ll be spending on security event analysis and consolidation.”
There’s been speculation that regulatory requirements, such as the Gramm Leach Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA), could spur an uptick in IT security spending in 2003.
Vigilinx’s Murphy says that that’s not likely, however, because as it now stands, both GLBA and HIPAA lack regulatory teeth. “A lot of people are concerned about HIPAA regulations, but those regulations haven’t been finalized, and a lot of times, people don’t act. A lot of this [enforcement] is going to have to come from litigation. There’s criminal penalties in there for criminal negligence. However, until someone brings a case to court, until something actually happens, I don’t know now many people are going to heed those regulations."
Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.