IDC: IT chiefs struggle to find resources to meet security requirements

Boards are expecting CIOs and chief security officers (CSOs) to provide increased security at a time when budgets are either flat or increasing only slightly, according to IDC program manager Eric Domage, who was speaking at the analyst firm's IT Security Conference today.

The increase in security requirements is related to the fact that the IT skills of staff are no match for the increase in volume and complexity of security threats, he said.

"This means there's a gap between what you have to do, and what you're given as a resource to do it."

Domage said a survey of delegates at the event showed that 40 per cent of respondents had had their security budgets frozen, and that many were making cuts in order to fund mobile device protection.

Domage said he had seen four strategies employed by CIOs looking to achieve improved security from a smaller budget.

• Contract renewal/price renegotiation – squeezing vendors to reduce costs;
• Vendor consolidation – purchasing more solutions from a smaller number of suppliers in order to benefit from economies of scale;
• Shift to security-as-a-service – transferring a capital expenditure to operational;
• Virtualisation or a cloud strategy – shifting to cheaper cloud alternatives.

Domage added that 70 per cent of respondents to the survey believed that squeezing vendor pricing was the best way to get the most from tight security budgets.

Des Powley, director security and identity management, Oracle, said that part of the problem is that boards do not fully understand security.

"Does the business understand the value of security? My US paymasters think the whole world revolves around compliance."

Domage concluded that compliance was a key factor of security, but is an increasingly complex area as more regulations appear, placing further demands on budgets.