The survey showed that the median annual budget for enterprise security in 2010 is $600,000, an 11 percent increase over 2009, with yet another 11 percent increase anticipated in 2011. But despite incremental budget growth, the survey's respondents -- who hail from banking, healthcare, telecommunications and other sectors as well as local and federal government agencies -- often indicated they had a hard time finding and retaining security personnel.
Organizations on average assigned 120 staffers to IT and compliance matters, with larger enterprises of 5,000 or more assigning 232. But much of the time this was seen as insufficient, with 51 percent of respondents saying finding qualified applicants was a "huge" or "big" problem.
Difficulty in finding the right expertise was a driver in all manner of outsourcing, including use of managed security services, which about half the organizations used. But only about half were truly "satisfied" with outsourcing arrangements, even as they contemplated expansion into software-as-a-service, platform-as-a-service, and infrastructure-as-a-service, which Symantec defined as everything from use of Google Apps to full-blown hardware and operating system rental on demand, making up today's evolving concept of "cloud computing."
In fact, 40 percent of the respondents indicated their organizations were currently using applications in the cloud in some way -- yet 40 percent said it would be more difficult to prevent or react to data loss under their firm's cloud-computing strategy.
And when asked "Does your cloud-computing strategy make the risk of losing data bigger or smaller?" 38 percent said it would be higher, with the reminder pretty much split saying it would be the same or lower. The answers broke the same way on the question of virtualization strategy.
When it comes to cyber attacks and data loss, the situation looks bleak based on the responses in the report.
Three quarters of respondents said their organization had experienced cyber attacks in the past 12 months, with 36 percent calling them "somewhat/highly effective." The annual cost of a cyber attack was pegged at more than $2 million for large enterprises when tallying up lost productivity, theft of intellectual property, loss of customers, legal fees and more.
"Every day we see new viruses, new spyware, new backdoors. It is beyond crazy," one IT director is quoted as saying. The survey showed the most frequent types of attacks were malware implantation, social-engineering ploys and denial-of-service (DoS) attacks.
On average, Web properties were targeted twice last year with the implanting of malware, and also suffered one significant DoS attack and one theft of information.
Data losses were attributed to numerous sources, including outsiders (20 percent) and accidental insider actions (15 percent).
Healthcare providers specifically reported 58 percent of data loss was accidental exposure of patient information, 22 percent was theft, with identity theft and even malware attacks on medical equipment a problem as well.
Patching is regarded by 87 percent of the respondents as one of the most effective measures to ward off cyber attacks, with about three quarters also putting trust in perimeter security and authentication processes, along with antimalware controls.
According to the survey, a surprising 20 percent of Windows-based PCs in use by employees were selected, purchased and owned by the employee, along with 12 percent of their laptops and 6 percent of smartphones. But 52 percent of the survey's IT and security pros viewed that as something that could compromise security.
With Windows 7 just released, one survey question on that topic indicated that 19 percent had "no plans" to use Windows 7, but 9 percent already had, and the rest were discussing or had plans for it. In all, 72 percent of the survey's respondents think Windows 7 offers improved security over previous Windows versions.
Finally, in something of a blow to Symantec and other security vendors, the survey asked telecom companies who they considered their main security vendor and the found about two-thirds said "network equipment providers" and only a third said "security companies."
Read more about wide area network in Network World's Wide Area Network section.