Gartner conducted a series of kiosk-based surveys between June and September at its annual IT security summits and catalyst events in North America and its security and risk management summit in Europe. The surveys of 383 IT managers found that 18% of respondents said they were not compliant with PCI DSS, a result that Lawrence Pingree, research director at Gartner, termed a “surprise”.
“The PCI is a really good way to get adoption of security controls that otherwise organizations probably wouldn’t implement”, Pingree told Infosecurity.
According to the survey, IT security budget planners are expecting a fairly significant increase in their security budget allocations this year. The allocation to security out of the total IT budget increased to a mean of 10.5% this year, compared with 6% last year. In addition, 33% of respondents said they anticipated growth in their overall IT budget next year, with 22% expecting a 5% or more increase.
“Security is top of mind again at least to the budget layer. Organizations are responding to the news of the latest breaches”, Pingree said.
Gartner found that the dominant security spending this year was on personnel, with 32% of the security spending, down slightly from 35% last year. Consulting services and outsourcing services were also both lower from last year's numbers, with a significant consulting decrease from 14% last year to 11% this year and outsourcing dropping from 18% last year to 11% this year.
When asked about the top security projects for 2011, respondents put data loss prevention (DLP) at the top of their list, with user provisioning and event management coming in second and security information and event management coming in third. Intrusion detection, network access control, application security, and IT governance, risk and compliance management tools also ranked high up on the list.
Pingree said that the survey found that DLP and fraud prevention products are at the lowest level of “enablement” among organizations surveyed. “There is a need to fully use these products”, he added.
“These security systems are not fully enabled. Organizations are buying these products and not fully enabling the systems to block attacks. That is one of the fundamental problems”, he observed.
In addition, 33% of respondents said they did not have DLP products and 44% did not have fraud prevention products. “Many of the organizations need to have anti-fraud and fraud detection and prevention systems, but they don’t have them”, Pingree observed.