Information security budgets generally dodge effects of downturn

Government agencies could become more vulnerable to hackers and increase the chance they might lose data if they respond to the slow economy, and subsequent lower tax revenues, by cutting back on security-related projects, according to a survey of public sector security chiefs.

More than half the 899 information security professionals in the public sector -- about 58 percent -- said canceling, deferring or downsizing security-related initiatives is important during harsh economic times, according to a survey conducted by PricewaterhouseCoopers and CIO and CSO magazines.

But far less, about 37 percent, said they actually made such cuts in 2009. For projects that were curtailed, about 24 percent were delayed by a year or less, and the budgets for 28 percent of these projects were cut 19 percent or less.

That was good news to Scott McIntyre, managing partner of PricewaterhouseCoopers' public sector practice. "Security budgets across-the-board appear to be less vulnerable to cost cutting," he said. "But to protect that budget, organizations need to show the value of that investment in security. The security function is under tremendous pressure to perform."

Nearly half the public sector security chiefs surveyed said requirements have grown more challenging as the regulatory environment increased in complexity and cost reduction efforts made even adequate security harder to achieve.

The good news from the survey showed that the number of security incidents didn't increase. Sixteen percent reported having no incidents in the past year, virtually unchanged from the 18 percent reporting no incidents in 2008 and the 17 percent in 2007. About 23 percent of the public sector respondents reported experiencing between one and nine incidents, the same percentage who reported that number of incidents in 2008 and 2007. Most -- more than 70 percent -- reported putting a greater focus on data protection, prioritizing security investments based upon risk, and strengthening governance, risk management and compliance programs.

"Organizations need to spend the money where it adds the most value," McIntyre said. "In many cases, that means increased automation and making sure security is well-aligned with the organization's objectives."

Respondents, however, reported little progress in developing certain security processes. Efforts to identify users, monitor information security intelligence and compliance with security policies have not progressed significantly beyond the status reported in 2008.

According to the report, "The chalk lines have essentially not moved," and the majority of metrics used to track advances in security-related capabilities have, by and large, not advanced during the past year in the public sector.