IT Security Spending Trends Align with Business Needs

Bethesda, Md. – IT and security budgets are on the rise, and they are aligning with the business needs of their organizations, according to results of a new survey to be released by SANS Institute on February 3.

"We have seen many surveys that delineate the costs involved in budgeting and spending for security," says Barbara Filkins, SANS Analyst and author of the survey results paper. "This survey fills a gap in that it shows how organizations are going about their investment--answering the what, why, where and how questions about their securing spending and budget processes."

Results show that respondents are positioning security as a business enabler. According to the survey, 80% use regulatory requirements to justify their budgets and expenditures, while 78% align spending with business objectives. It reflects the primary business driver for security spending--protection of sensitive data--as well as the operational area that accounts for most current security spending--protection and prevention.

Most organizations track security spending as part of another cost center, whether under IT (48%), general operations (19%) or compliance (4%). Only 23% track security spending as its own cost center.

Results also introduced some contradictions. Survey respondents aligned their security spending on proactive operational areas and are seeking skills in preventative technologies, such as application and data security. However, their technology spending doesn't reflect this. Rather than DLP, encryption and compliance technologies, respondents say their organizations are purchasing technologies to support secure access, malware prevention and endpoint security. Data protection was their fourth choice.

Throughout the survey, respondents shared their experiences with security spending and provide advice for budgeting for security. Some of their quotes will be published anonymously in the survey paper.

Full results will be shared during a February 3, 2016, webcast at 1 PM EDT, sponsored by Arbor Networks and Gigamon, and hosted by SANS. Register to attend the webcast at

Those who register for the webcast will hear SANS Analysts Barbara Filkins and G. Mark Hardy share their views of the results, along with presentations by sponsor speakers who relate budgeting to their businesses. Registrants will also receive access to the published results paper developed by Filkins.

FEB 3 - What #INFOSEC Budget Pros told us about the #ITBudget. Register: Free

How are your #Infosec colleagues managing their #ITBudgets? Find out on 2/3:

Don't miss SANS 2016 #ITSecurity Spending Strategies Survey Results Feb 3. Register: #infosec

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions world-wide. Renowned SANS instructors teach more than 60 courses at in-person and virtual cyber security training events and on demand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (