"The average percentage of IT spending that security will comprise in 2010 is 5 per cent, down from 6 per cent in 2009," said Vic Wheatman, research director at Gartner. "In 2009, in the face of a significant IT spending downturn, security spending grew slightly as a percentage of the IT budget, while many other IT spending areas were gutted. With the economic situation projected to improve in 2010, organisations are ramping up investments in other spending areas faster than they are for IT security."
Mr Wheatman said organisations continue looking for security "platforms" such as endpoint security, nextgeneration firewall, web security gateways, email security gateways and multifunction firewalls for branch offices, where they make sense.
However, Mr Wheatman said that clients are still looking for bestofbreed solutions, where platforms do not make sense - such as in vulnerability assessment. In many cases, customers will seek lowercost contracts and delivery models and are also starting to explore the use of opensource tools and internal labour, or contracting for various security services.
While security spending tied to "keeping the bad guys out" was not heavily affected by the economy and will remain on pace for 2010, a significant number of IT security organisations had to scale back on large, capitalintensive projects in 2009. In 2010, however, security spending that is more tightly tied to new business initiatives, such as complex identity and access management (IAM) and data loss prevention (DLP) projects, is beginning to reappear.
IAM is the top security priority for 20 per cent of organisations surveyed in Gartner's 2010 CIO Survey, making it the clear leader among the mostimportant projects. More than 40 per cent of organisations named intrusion prevention systems, patch management, DLP, antivirus and identity management among the top five security priorities for 2010.
In addition, spending is set to continue for such priorities as supporting guest networking and employee teleworking, securing wireless LANs, meeting Payment Card Industry standards, consolidating audit trails, security information and event management, and penetration testing requirements. Gartner also continues to see strong spending on intrusion prevention.
North American companies led security spending in 2009, averaging 5.5 per cent of IT budgets. This compares with 5 per cent in Asia/Pacific, 4.8 per cent in Latin America and 4.3 per cent in Europe, the Middle East and Africa. Security spending also varied significantly from industry to industry and was typically higher for industries that are highvisibility or in regulated environments or require higher levels of risk mitigation, such as professional services (6.8 per cent), government (5.9 per cent), and banking and financial services (5.3 per cent) because of requirements for the protection of lives, financial assets and intellectual property.
"Determining how much a specific organisation spends on information security is not an easy exercise, particularly during time of economic uncertainty," said Mr Wheatman. "However, regardless of industry or geography, we would urge organisations to use their best efforts to evaluate enterprise spending, while recognising that they may not be capturing all security spending because of organisationally diffused security budgets."
Mr Wheatman will provide moredetailed analysis on the state of the IT security industry at the Gartner Security & Risk Management Summit 2010, taking place 21-23 June in Washington D.C. This Summit is the premier conference and meeting place for IT and business executives responsible for creating, implementing and managing a proactive and comprehensive IT strategy for information security, risk management, compliance and business continuity management.