"In businesses that are really under cost pressure, they may be very tempted to take the security risk to use these cheaper consumer alternatives," Pescatore adds.
The financial meltdown may also spark more regulations to address financial wrongdoing this year, which could in turn drive spending on reporting tools. While the new regulations may affect only financial firms, as opposed to every publicly traded company, "there may be a push for new risk reporting directly to the government," Pescatore says.
Getting Compliant
In the meantime, companies in many industries will be working to comply with legal and regulatory mandates that protect private, sensitive information.
For instance, utilities have mandates from several regulatory bodies requiring them to secure SCADA -- supervisory control and data acquisition -- systems and industrial control tools that monitor processes. In the financial services sector, smaller banks are moving toward dual authentication to meet FDIC, Federal Financial Institutions Examination Council and Basell II standards. And retailers must meet payment-card industry requirements.
"Information security is non-negotiable for these organizations," says Jeff Bernstein, senior director of information assurance at Asero Worldwide Inc. in Washington. "For IT purchases such as hardware and software, there will probably be some suffering. But meeting internal and external security requirements" won't be compromised, he adds.
Industry-watchers worry that postponing some IT security projects could lead to risky business behaviors -- especially with pesky new botnets infecting the most secure enterprises. "If I don't look for [malware], I'm not going to incur the expense of doing anything about them," Pescatore says.
The Procter & Gamble Co. has invested heavily in IT security, yet in 2007 it found that 4% of its PCs were compromised by botnets, according to a Gartner case study. To fix the problem, P&G had to reimage most of the 3,000 PCs -- an expensive task.
But dealing with a breach is more expensive than preventing one, Pescatore says. An incident where information on 100,000 customers is exposed typically costs an enterprise $10 million to $15 million to fix, excluding damage to the brand name. But preventing a data leak costs $3 million to $5 million.
And with layoffs looming in all sectors, Gartner expects more companies to consider outsourcing some security functions. Also expect companies to turn to "security as a service" to help reduce software, management and maintenance costs and lower in-house power and cooling costs.
"Over five years, it may cost you more," Pescatore says, "but in 2009, it will cost you less."
Next: Strong demand for the benefits of virtualization continues to propel server projects
Collett is a Computerworld contributing writer. Contact her at stcollett@aol.com.