X
Government
Home Government Government: US

Security budgets: Perception vs. reality

Security managers have to prove they've beefed up security since the terrorist attacks on September 11. The truth is, they already had.
Written by Wayne Rash, Contributor
When I first saw the numbers published by market research firm Instat/MDR I was shocked.

According to Instat's findings, 80 percent of enterprise security managers planned to make no changes in their security purchase plans after the terrorist attacks of September 11, 2001. Worse, only 11 percent planned to increase their spending. What were they thinking?

Many financial services firms, including some of the world's largest, had managed to stay in business after their offices were destroyed only because they had taken precautions, and had found ways to move their data off-site in real time. Didn't these managers know that? How could they put their businesses at risk?

The answer, of course, is that most enterprise security managers were already well past that. They realized the importance of maintaining continuity of operations, and had already planned for it. In many cases, they already had solutions in place. They didn't need to increase spending because the spending plans were already done.

Jaclynn Bumback, the research analyst who produced this study, says many companies have moved beyond basic continuity of operations and off-site backup plans, and are now focusing on firewalls and VPNs. Overall, companies are much more worried about whether they're really secure. Backup and recovery, and operations security are high priorities, but they're not the whole security solution.

The reality

According to Bumback, the projected growth in security spending after September 11 was mostly due to companies that needed answers to the question, "If that happened to us, where would we be?"

In reality, security against intrusion, including intrusion from hackers, malicious code, viruses, and the like, is a much more important issue, says Bumback. While the destruction of your company's headquarters is possible, a virus attack or Web site hack is more likely.

The risk of intrusion has been in the news for some time, so enterprise managers already had plans to install or upgrade their perimeter protection. Before the terrorists struck, firewalls and VPNs were put in the budget. Managers weren't more galvanized by the attacks because firewalls and VPNs have little relevance to physical destruction.

But just because enterprise security managers are well aware of this, doesn't mean the rest of the executives have a clue. Don't be surprised if your CFO or CEO hears from board members who are in an uproar about the findings of the Instat/MDR study. They'll want to know why your security spending hasn't gone up since September 11. They'll ask a lot of questions, and you'll have to demonstrate that you solved this problem before it arose, and that your sights are already set on where the real risk lies.

On the other side of the coin, the study's findings could lull CEOs into budgetary complacency and make them reluctant in the near future to fund needed increases in the security spending. Either way, the bottom line is not to let big headlines distract you from what you already understood as your mission prior to September 11. Now you have some explaining to do, whether it's to defend a static budget or to request additional funds.

You might as well start on the PowerPoint slides now.

Have the terrorist attacks prompted an increase in your organization's security budget? TalkBack below, or e-mail me your thoughts.

Editorial standards
Show Comments

Related

Ecovacs Deebot T30S Combo robot vacuum and mop

Can't hear TV dialogue? Changing these 3 settings can make a big difference

The Connection Preferences listing on a Pixel 7 Pro with Android 13.

How to enable UWB on Android - and why you should (your car is one reason)

iPhone 14 Pro Max on grass

Every iPhone model that can be updated to Apple's iOS 18 (and which ones can't)