A survey from TheInfoPro/451 Research identified key initiatives of senior security managers, and found that 45% of respondents said their enterprises will increase spending on security for 2014 projects, against only 11% decreasing funding over the same period.
However, in the not-so-good news, it turns out that PCI, SOX, HIPAA, GLBA and other regulations occupy a good chunk of enterprise security managers’ time, as the requirements are translated into legal/compliance functions within the enterprise.
"The 2014 study continues to see security budgets rise for most, but also shows an outsized role for compliance in security," said Daniel Kennedy, TheInfoPro's research director for information security and networking, in a statement. "38% of enterprises saw budget increases specifically to deal with compliance projects – the same percentage that reported the most common way for security projects to be initiated was compliance deciding they needed to be done."
The report noted that working out the “appropriate level of interplay with compliance is a major concern of managers interviewed for the Wave 16 Security Study, and a continued indicator of the ‘catch-up’ nature of enterprise security.”
Compliance-related concerns top this year’s list of security managers’ pain points, most notably data security, which is now at number two. Regulatory requirements have risen as a source of consternation from 1% to 8% between studies. The technical offshoot of data security, authorization/access control or maintaining the principle of least privilege in the workplace, was cited by 10% of interviewed enterprises.
Compliance aside, the disrupter technology in the security world continues to be mobile. Mobile device management (MDM) is the top source of pain at 18% of large enterprises, but products addressing this function are growing, as their use rose from 46% last year to 59% in this study.
The BYOD phenomenon – the proliferation of employee-owned mobile devices being connected to company resources – is making inroads into budgets. These potentially unsecured devices are most commonly used to check email but increasingly are connecting to file shares and applications.
“MDM offerings have stepped in to help solve this problem, and the technology has seen incredible growth,” the report noted. “Expect a further 8% worth of new large enterprises implementing MDM in the next six months.”
Meanwhile, concerns about data being appropriately accessed has led to identity management heading up the list of top projects for security staff. This project took the slot from data-loss prevention (DLP), which led the year before but is now in fourth place, despite the spate of high-profile data breach incidents at Target and other consumer-facing companies.
Also under the identity management umbrella, authorization/access control and privileged identity management are among the top concerns. About 39% of security managers cited IT professionals with elevated privileges as the greatest insider threat they deal with, the report noted.
In general, most of the budget increases are in the 5% to 10% range for 2014, while 5% of enterprises see their security budgets decreasing from 25% to 50% less. The highest reported median budgets were in the financial services and business/accounting/engineering verticals, each averaging $5.5 million, the firm noted. And, capex on security equipment dwarfs opex, at 67% to 33%.
Also, almost half of all enterprises surveyed (45%) believe spending on third-party services will increase in 2014.