Survey: Slight Uptick in Security Spending

CISOs have their eyes on application security, NAC, and security services, according to Merrill Lynch survey

Dark Reading logo in a gray background | Dark Reading

Money is still tight for security, but chief information security officers (CISOs) plan to pump more funds into application networking/security and in preventing data loss, according to a new survey conducted by Merrill Lynch.

Don't expect any drastic changes in security budgets over the next 12 to 18 months. Survey respondents will increase overall security spending by about 4 percent over the next 12 to 18 months, which was about the same increase they said in a September survey by Merrill Lynch. In addition, 62 percent of the around 50 North American IT executives surveyed by Merrill Lynch in the survey said they expect security spending to increase over this same time period.

Interestingly, more than half of the respondents said they increased their security budget since the beginning of this year, and only 10 percent said they had cut their budget. Nearly 40 percent said their budgets had remained the same. (Most of the respondents are from large enterprises: Two thirds are from firms with over 10,0000 employees.)

So how does security stack up with other IT spending? The survey found that the proportion of security to overall IT budgets increased slightly, from an average of 5.5 percent in September to an average of 5.9 percent in December. And the biggest driver for changes in security budgets remains regulatory requirements (28 percent), although 32 percent answered "not applicable/unsure." 18 percent attributed it to new project approvals.

At the top of the list of security spending priorities was endpoint security/NAC, with a 5.1 percent increase in spending over the next 12 to 18 months; application networking/security, with 3.4 percent; and intrusion detection/prevention, with 3.2 percent. Data loss got the highest ranking as the most promising new security technology, with 40 percent, but that was a decrease from 62 percent in September.

And security as a service is on their radar screens: 42 percent said they are more likely to consider security as a service these days, with 30 percent of these respondents leaning toward IDS/IPS services, 24 percent for anti-spam, and another 24 percent for vulnerability management services. Of the 28 percent who said they wouldn't consider security services, 32 percent cited trust concerns, and 27 percent said the ROI benefits aren't clear enough for such a change.

Staff constraints (24 percent) and budget constraints/cost savings were the main reasons for respondents who said they would consider security services.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

About the Author

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights