Bigger data, smaller budgets
While security budgets may be down generally, interest in leveraging security analytics is not. Roughly 64% of respondents reported using big data analytics as part of their security programs. And of those that do use security data analytics, 55% said that it has helped them to detect more incidents.
Industry analytics aren't so sure how deep the benefits actually go. At least not yet. Javvad Malik, security Analyst at The 451 Group, says that he doubts many enterprises are harvesting much for their efforts. "This is just getting started at most organizations," Malik says. "Security information and event managers are collecting thousands of alerts a day, so the art is trying to make sense of it all. This is where big data platforms can help. But right now most CSOs are going to their vendors and asking how the data tools they have can help with that," Malik says.
"When people use the term big data security analytics, they could mean anything from traditional log management and queries to Hadoop to cloud services," says Rothman. "There are a lot of companies looking at how they can improve their security analytics in those ways, but how many are doing it in a way that is impacting operations? Not many. How many are spotting security events that they wouldn't otherwise know about, even less," says Rothman.
While promising, if the experts are correct, security analytics certainly holds promise for the future, but it's too soon to expect a payoff. So security data analytics certainly doesn't account for the broad drop in security budgets. In fact, with vulnerabilities and threats rising, as well as numerous big name and big impact breaches in the news throughout the year, one would expect security investments to have risen, not fallen or remained essentially flat. But that's what the report found. Small companies are reporting that they reduced security investments by 20%, while midsized and large companies have bumped their budgets by a near statistically flat 5%.
Why is this? It could be largely because information security budgets are beginning to blend into operations budgets as cloud computing initiatives begin to take root. "A greater adoption of cloud computing for enterprise applications and projects is the first reason," says Brian Honan, CEO at Dublin, Ireland-based BH Consulting. "This is moving many large IT projects away from being solely IT budget items to co-shared items with business units," he says. "We may also have witnessed a higher than usual investment in previous years in IT due to companies spending money in IT as the global economy started to recover," says Honan.
The numbers support this line of reasoning. In the previous year, which looked at 2013 spending, survey respondents reported increasing IT investments a whopping 40% and lifting information security spend by a jaw-dropping 51%. That looks like latent demand from the recession, to be sure. Unfortunately, we've yet to see a corresponding drop in publicly disclosed data breaches or in their associated costs. But there's always hope next year will be different.
Sign up for CIO Asia eNewsletters.