Look at these numbers over a multi-year period. This year—for the first time in the course of the survey—three long-term strategic trends in information spending have appeared in the spotlight.
1. Security is on the CFO’s “protect” list
We first saw evidence of this last year. This year’s data provides additional confirmation of the trend. As the function matures—and contributes in more obvious and direct ways to business objectives
—it is encountering much more stable funding curves. As the survey revealed last year, security funding is protected during the “down” cycle. And—as we will point out in the pages that follow—this funding
is increased as market vigor returns.
2. Yet security is still vulnerable to the “flavor of the year”
Because security sits at the heart of the business, its spending drivers—the factors emphasized most prominently and most often by executives seeking funding for security-related initiatives—tend
to be very closely aligned with the “hot priorities” of the business,whatever they might be at the time. In short, security’s spending drivers are susceptible to what we might call the “flavor of the year.”
Take the US market, for example. In 2007, six years after the events of 9/11, 68% of US respondents identified business continuity and disaster recovery as the single largest driver of security spending,
compared with 43% today. In the same year—five years after the passage of the Sarbanes-Oxley Act and two years after the Health Insurance Portability and Accountability’s (HIPAA) Security Rule took
effect—US respondents identified regulatory compliance as the second-greatest spending driver, compared with 47% today.
3. The “water drop” effect
Big splash – then diffusion. After peaking as drivers, each of these factors, from business continuity to regulatory compliance, shifts from an “external game-changer” to an “internal given.” They remain
important to the organization—often crucially so—but precisely because of their value, they become integrated into the business.
How? Through, for example, newly automated systems or featureenhanced software. Updated job descriptions. Policies and business practices. And more comprehensively designed internal controls.