It appears that, though IT security spending will likely stay flat for 2011, the majority of companies are still approaching security purchase decisions based on FUD (fear, uncertainty, doubt) principles rather than on plans driven by IT professionals and executive leaders. This can lead to inefficient IT spending and poor security practices. Particularly when only the "base" level of security precautions are put in place to meet compliance regulations:
"Regulatory mandates are continuing to drive IT security programs. And, as the saying goes: You can get compliant with a sound security program in place, but you might not necessarily get information assets secured with a compliance-based plan"
Is there a solution to this issue? It's not easy. A lot of the initiative for a successful, overarching and well-planned security policy falls on the shoulders of ambitious IT security professionals. They need to take it upon themselves to educate executives for the importance of planned security spends. For the first time in the 4 years of the survey, protecting the corporate brand is starting to become a driver in purchase decisions - and that's a positive change!