Via Information Week, a survey conducted by nCircle reports that IT spending on compliance and security is down markedly in 2011:
Information security budgets are continuing to be squeezed by the economic downturn, with half of businesses reporting that their security spending has decreased in the past year. In comparison, only 37% of security professionals reported similar budget decreases in 2010.
Beyond security spending cuts, 18% of businesses, up from 12% in 2010, report that they've also cut IT compliance-related spending. But these budget decreases can cause problems. For starters, 30% of security professionals said that their companies aren't adequately enforcing security policies, and 44% don't think they're effectively measuring security risk or regulatory compliance effectiveness.
That 30% number doesn't surprise me -- generally speaking employees don't seem to feel that their group or cause, whatever it is, is being adequately funded or appreciated.
The second number should raise the eyebrow of those in the ERP world -- and specifically in the GRC space. It's one thing to think security policies aren't being enforced, but when nearly half of those surveyed find that risk and compliance
aren't being addressed, it represents an opportunity.
While it seems to be negative in the short term, I can't help but think this is a good sign, ultimately, for SAP BusinessObjects GRC 10, SAP's complete overhaul of its GRC solution that was previously cobbled together from old Virsa products. (My colleague Davin Wilfrid covered the announcement of GRC 10, referencing the importance of risk management and the analytic side of GRC.)
We've seen numerous security problems of late -- 95% of survey respondents expected to have more data breaches this year than last. And the growing popularity of cloud computing (the security of which can't yet be guaranteed, due to how new it is) should only add to such problems. If companies try to bypass their GRC processes with cut-rate policies and technology, they're going to get burned -- there's really no way around it. And SAP finally has a comprehensive solution it can present to such organizations. If SAP can ride out bumps in the road in the very near term related to budgets, I think they'll find customers in the long run. ERP systems are too important to business; companies aren't going to be able to get away with a lack of security and risk management for long.