NATIONAL HARBOR, Md. -- As a budgetary matter, IT security is not a one-size-fits-all proposition.
With corporate budgets still reeling from the economic downturn of 2008 and 2009, a senior analyst at the research firm Gartner is urging IT managers to take a shrewder posture on information security, leveraging free or lower-cost solutions to shore up data systems without breaking the bank.
"The goal here is to do more with less," Gartner Managing Vice President Vic Wheatman said in a presentation here at the firm's annual Security and Risk Management Summit. "There's almost no correlation between how much is being spent and how secure the organization is."
In a recent survey of CIOs at SMBs and larger enterprises, Gartner found that businesses are planning to spend an average of 5 percent of their IT budgets on security this year, down a percentage point from 2009.
Overall, Gartner found that IT spending is projected to bounce back slightly from a sharp decline in last year, but that it will still remain a lower percentage of the total corporate budget than in 2008.
Wheatman noted that budget requests for security spending can be difficult to justify from a traditional business perspective, as cash-strapped CFOs are often reluctant to authorize funds for expenditures whose value can't be quantified in the traditional sense.
"With few exceptions, it's not a return on investment," he said. "With few exceptions, it's really a cost of doing business."
But Wheatman counseled several approaches that can stretch the budget and achieve acceptable -- if not always ideal -- security.
"Leverage the free stuff," he said, pointing to the security features that come pre-installed in many operating systems and hardware, particularly networking appliances, such as routers. Even if those features don't always measure up to the expectations of an enterprise, they can provide a rudimentary level of security and give the IT shop a core on which to build additional layers of defenses.
"Turn them on and see if they're good enough," Wheatman advised.
Gartner is also a forceful advocate of instilling security as a cultural priority across a company's IT staff, so that rigid defenses are treated as an integral part of any new technology deployment. The firm estimates that businesses yield an average savings of 30 percent when they deploy systems with security as a design feature rather than falling into the repetitive cycle of patching vulnerabilities as they arise.
Wheatman also encouraged his audience of security executives to look seriously at outsourcing some of their operations.
"This is not an abdication of responsibility," he said. "You still have to handle the outsourcers."
But outsourcing firms that specialize in a specific security discipline often have a clearer view of the landscape and are better able to anticipate emerging threats thanks to their experience handling similar operations for multiple clients. The result, Wheatman said, is that businesses can often achieve "better security at lower cost."
Of course, security competes with numerous other priorities on the IT agenda, and by some measures has been losing ground in recent years.
"Over the course of the last three or four years, the level of importance that information security has relative to some other things -- like virtualization, cloud computing, Web 2.0, etc. -- has kind of dropped down the list," Wheatman said.
At the same time, he pointed out that the coding practices peculiar to each firm's accounting shop are a weighty variable when trying to calculate overall security spending.
The fees paid to third-party managed service security services providers, for instance, will often fall under the human resources budget. Similarly, spending on anti-malware programs is often coded as "operations and maintenance," and a narrow view of the information security budget may not account for the cost of security software included in an architecture project, such as a mainframe upgrade.
According to Gartner's polling, CIOs said that identity management tops their list of security project priorities, followed by technology to prevent data loss.