"We're not immune to the economy's poor performance. While Harvard Business School has traditionally been a big spender, the current conditions have caused us to think twice just in case," he added. "I would be inclined to add that it's also caused my organization to think twice about different ways of tackling problems."
For example, he said, the organization has turned to "high-performance" commercial products to get it to that "85 percent" and filled in the rest with free and open source tools. "Also," he said, "we've stepped back a bit and looked at processes and procedures and how those can be improved rather than just throwing money at a vendor."
Security not linked to economy Others confirm their organizations' plans reflect Forrester's findings. In these cases, security is an ongoing necessity unaffected by economic peaks and valleys.
"In the government, pressures caused by data losses has prompted more spending," said a UK-based IT security specialist who requested anonymity because he isn't authorized to speak to the press.
According to the Forrester report, firms are devoting 11.7 percent of their company's IT operating budget to IT security in 2008 compared with 7.2 percent in 2007, and they plan to continue nudging up IT security budgets in 2009 to 12.6 percent of the IT operating budget. Allocation of budget for new security initiatives mirrors this trend, going from 17.7 percent in 2008 to 18.5 percent in 2009, Penn said.
"There has been a clear and significant shift from what was the widely recognized state of security just a few years Ago," the report notes. "Protecting the organization's information assets is the top issue facing security programs: data security (90 percent) is most often cited as an important or very important issue for IT security organizations, followed by application security (86 percent), and business continuity/disaster recovery (84 percent)."
Meanwhile, the report said, areas like threat management (81 percent) and regulatory compliance (80 percent) are cited less frequently. Data security also tops the list of business objectives for security, with 89 percent citing protection of corporate data and 87 percent citing protection of personal data as important or very important business objectives.
When security budgets aren't measured In some cases, it's hard to figure out how far up or down spending is because the company in question doesn't have a specific line item for security.
"Most companies I have worked with don't even measure any type of security budget," said Nalneesh Gaur, chief information security architect and principal at Diamond Management & Technology Consultants Inc. in the Dallas/Fort Worth area. "As a consultant, I get involved with companies where something bad has happened like getting hacked. With getting hacked as the driver, I often see a surge in priority for security where the company will spend a lot of money."
The trick is if they can sustain the program after the first year, he said.