SAN FRANCISCO – More than half of IT professionals plan to increase their spending on security in 2008, whether that means more resources, more products or more services. A survey of IT professionals conducted by InsightExpress for Cisco Systems found that three out of five IT professionals plan to increase IT spending this year, with that number fluctuating based on geography.

In February, Cisco released survey results of remote workers and their perceptions of security. Now, the networking vendor has turned its eye to the IT professional and how security is affecting the IT organization and its bottom line. Cisco surveyed IT professionals from 10 countries around the globe, including three emerging market countries (China, Brazil and India).

Overall, 62 per cent of professionals surveyed said they plan to increase security spending in 2008. While 25 per cent of IT professionals plan to increase security spending by less than 10 per cent, 37 per cent said they plan to increase spending by 10 per cent or more in the next year. In China and India, 83 per cent of IT professionals surveyed said they would increase security spending in 2008, while in Brazil, 68 per indicated such an increase, which Cisco attributed to more than just economic growth.

In the U.S., 53 per cent of IT professionals said they would increase security spending in 2008, with an almost even split between less than a 10 per cent increase and a 10 per cent or more increase (26 per cent versus 27 per cent, respectively).

According to Patrick Gray, business development manager for security at Cisco Systems, there’s a reason for the increasing in spending, and part of that reason has to do with the fact that IT has joined the mainstream business units in organizations.

“It’s no longer seen as a cost center but as a business enabler,” Gray said. IT brings in revenue and protects critical data and systems, he added.

However, an increase in spending isn’t necessarily good enough, as Gray differentiated between good spending and bad spending.

“I think that we need to start looking at good spending, putting things within our network that are going to protect us against all the different vectors that [hackers] are taking instead of reading about the newest threat of the day” and buying reactively, he said. One example of bad spending is purchasing what Gray called the “box du jour.” Instead, organizations need to take a holistic approach to security spending and make sure they’re protected properly from the edge to the core, he said. While businesses need firewalls, VPNs and other core security technologies that are available, he also said businesses have a tendency to throw a lot of technology at an issue instead of taking a more appropriate approach protecting their environments.

One way of doing this isn’t necessarily costly but can provide a lot of benefits to organizations. Cisco itself follows an approach it calls the “human firewall,” which has to do with understanding and educating the people in an organization. However, the education is less of a “do it or else” approach and more of a positive, proactive and rewarding approach that over time changes employee behavior in a good way, said Mia Bradway Winter, program manager for corporate security programs at Cisco Systems.

“We would think of employees armed with education and awareness as kind of the human firewall at Cisco because they are aware,” she said.

Technology is still a key ingredient to security, but even that can be taken too far in some environments. A heavy-handed approach may have made sense a few years back, but with the Internet as a critical communication and research resource, it may not be the best approach now.

“Being draconian is okay for some places, but being less than draconian is probably the best,” Gray said. Organizations can’t ignore the technology, though, but they have to make sure they’re implementing the right technology, he said.

This column was written by Chris Talbot of ConnectIT

a>>