Firms spend only up to 20% of their budget on IT security

Security accounts for only 10 to 20 per cent of overall IT budgets within UAE enterprises – well below global standards.

There is awareness, say experts, but security is still often viewed with a closed mind.

IT security is not just about protecting the perimeter but has evolved as Web 2.0 and social media have taken the limelight. Employees are increasingly becoming mobile, which makes it important for organisations to consider cloud computing and software as a service (Saas) as parts of their security strategies.

However security companies have seen a change since 2008 as threats have increased greatly and this has changed the priorities of many organisations in the region.

Emirates Business discussed IT security with Hamed Diab, Regional Director of McAfee Middle East; Johnny Karam, Regional Director of Symantec Mena; Rik Ferguson, Solutions Architect, Emea at Trend Micro and Judhi Prasetyo, Regional Channel Manager at Fortinet Middle East.


How much a share of IT budgets is allocated to security?

Diab: Security is high on all businesses' agendas, specifically for CIOs and CISOs, and is now taking precedence over a number of other issues. McAfee has seen security rise as a priority and this is having a knock-on effect on spend during 2009. This was driven by two factors: Firstly, security is no longer seen as a cost overhead as businesses strive to be more efficient and protect their data. Secondly, businesses are now consolidating both vendors and services, opting for integrated suites of products in an attempt to reduce operational costs.

Karam: More prominence is being given to security-related issues by enterprises. This is mainly because of the increased risk landscape. We know for a fact that cyber criminals are after personal and confidential data, and all this data is exchanged in mature underground economy. The attacks are all for financial gains now.

Ferguson: According to a recent Forrester report, spending on security was projected to reach 12.6 per cent of total IT spending in 2009, up from 7.2 per cent in 2007 and 11.7 per cent in 2008. Security is projected to account for 18 per cent of new project budgets.

Prasetyo: I would say up to 25 per cent. In general, I think the biggest spending is still on infrastructure, followed by applications with security coming last. IT security is a broad topic, it would be difficult to pinpoint how enterprises prioritise their budgets. There are many threats posed to IT systems and it all still depends on the company's priorities and their risk management. Even though Middle East businesses are recovering from the recent tough times, discussions about budgets are still being evaded. So, in an atmosphere of budget cuts, if businesses turn a blind eye to the need for security, IT teams are under constant pressure to demonstrate tangible business benefits for giving priority to spending more on security.

Do you think the security spend in the region is on a par with global markets?

Diab: It's not a straight comparison when analysing the Middle East in relation to other global and more mature, markets. Companies in the US, Germany, France and the UK certainly have been functioning a longer time with more historical, natural growth. However, at McAfee we would certainly say that the Middle East market is an area of great potential when it comes to security spend as it is necessary to both build and sustain security solutions. Therefore, McAfee believes we will see greater investment in the region in the coming years.

Karam: The spend is a function of organisational risk maturity, information-centric environments and appetite to risk. We see certain customers and industries that are on par while others require assistance to get the proper awareness on the risk they face by being unprotected.

Ferguson: The Middle East is still a growing region for IT infrastructure and, as such, security considerations. I would expect spending to be much higher to catch up with the markets who have more established infrastructures. While there is growth in security spend, we have some way to go before this catches up with global market.

Prasetyo: Not yet. Spending on IT security globally can reach 30 to 40 per cent of the whole IT budget, but here it is around 10 to 20 per cent. The highest we have seen is 25 per cent. Most enterprises globally are shifting from computer security threat defence to corporate data protection, which can be seen as an increase in the budget for IT security. I expect the Middle East market to eventually follow the same trend.

Do companies require a lot of convincing before they agree to spend on security?

Diab: Businesses do understand the need for security, but not the intricacies. It is key for companies to fully understand the issues, threats and business benefits of security. However, security has to be aligned with the nature of the business and its needs. Businesses don't want their on-the-ground activity to be stopped or slowed down by security technologies or protocol. For example, marketers are now using social networking sites and new Web 2.0 technologies to promote their organisation, products or services but despite understanding security requirements, may not advise the necessary security contacts of their actions or plans. This can potentially leave an organisation open to malware or hacking so it really is key to ensure organisations understand the potential security impact of its day-to-day business activities.

Karam: Symantec issued more malware signatures in 2008 than in the previous 17 years combined. And in 2008, Symantec documented a total of 5,471 vulnerabilities, 80 per cent of which were easily exploitable. In a cyber environment such as this, most companies are already aware of the risks to their business and don't need much convincing to spend on security solutions.

Ferguson: I don't think companies require convincing to spend on security, but an area where people do seem to have trouble is in focusing efforts on the right projects and the right processes. Information security in the present day is about so much more than "just IT" and this is a mindset that still needs to shift within some companies. For example, data leakage prevention projects need to involve key stakeholders from within the business – information owners from each affected department. There is a whole process of identification and classification that needs to be undertaken, followed by policy definition, education, training and user acceptance even before any technology is deployed. It's tough to focus on technology to try and solve a problem before you have clearly defined it.

Prasetyo: It is generally easier these days, especially as online applications become mainstream. People and businesses know that effective security can help them be in control. Security also is significant in protecting information from malicious alterations and/or deletions or from unauthorised disclosure. However, enterprises still do not prioritise security in their budgets or, if they do, they do not understand the full extent of vulnerabilities on their networks.

Have you seen a change in attitude towards security within organisations?

Diab: Organisations are currently looking at ways to optimise security and are questioning which potential routes to follow – cloud computing, outsourcing and so on. And though many organisations are aware of such solutions they want to know what the day-to-day reality of these would be for their businesses. Right now, businesses in the Middle East are focusing on trying to protect their data and control its flow and have correctly taken the first steps in doing this. However, with more than two million new threats in 2008 alone – five times more than the previous year – it's imperative they take the next step to secure data from malware threats and loss.

Karam: There has been a shift in attitude towards security within enterprises, security projects have gained priority. Surface area is growing for enterprises, which means more users, devices with more power, data is doubling every year, and more complexity such as Saas and cloud to plan for.

Ferguson: Yes, we are definitely seeing a devolution of security, and IT responsibilities in general, away from being a centralised function and more into distributed teams embedded throughout the organisation. The increasing digitisation and centralisation of information, the changing nature of malware, the decreasing relevance of perimeter-based security and the rapid spread of new communication, collaboration and data storage technologies all mean that the role that every individual plays in the security of corporate data is key.

Prasetyo: Yes, I think there is more awareness about the importance of security. However security, in terms of budgets, is still placed last. Additionally, most enterprises are going on a shift from computer security threat defence to corporate data protection and this represents a more proactive and aggressive approach, especially for small and medium enterprises. Focusing on data protection eliminates, or at least reduces, the "tracing the hackers" approach and instead makes companies build defences around their most important data. The evolution of organisations with more and more mobile users accessing the corporate network remotely also drives a new approach to network security.

How has the market environment changed for security companies in the Middle East?

Diab: It has changed considerably in the past year as companies strive to keep their important information and knowledge secure in such challenging economic times. With increased online threats such as malware and hackers that are continuing to earn significant profits from gaining financial and personal information, it is clear that organisations are keen to build their security blueprint.

Karam: Customers are very interested today in the ramifications of the economic situation. They understand the risk of information leakage as workforces are reduced. We are seeing an uptake on protecting the information-centric environment of customers. Regulations are also being enforced in the financial sector with strict deadlines, Symantec is helping customers to meet those deadlines on PCI compliance through extensive human expertise such as QSA certified consultants and tools to enforce compliance.

Ferguson: The region is now becoming more aware of the threats and the risks associated with systems becoming compromised. As such, we are seeing a growing demand for security solutions at above market rates.

Prasetyo: More firms are aware of the need for security but security itself is a very broad topic ranging all the way from end-point security to network security to application security and authentication. Most firms in the region still focus on network and end-point security. The market now has a stronger adoption of managed security services both at SMB and enterprise levels.

Keep up with the latest business news from the region with the Emirates Business 24|7 daily newsletter. To subscribe to the newsletter, please click here.

Follow Emirates 24|7 on Google News.