"Companies are already minimising their security spend wherever possible," he said. "The bulk of a security budget is [for] operating that infrastructure and it is hard to make cuts without impacting core technology controls."
Businesses are also more likely to incorporate security spending into specific projects, with their own distinct financial goals, and business units are becoming more aware of how IT security can help the business to develop new products or services. Online banking is one area where companies have been able to use the internet to drive out significant costs, through slimming down branch networks.
"The perfect situation is where new security features represent incremental changes for the IT department," he said. "I would be worried if IT invested first in new features and then let the business know about them IT should be asking the business where it is going, and how can it meet their needs as an IT supplier. Security investments should be made on that basis."
But Campbell also highlighted the WikiLeaks diplomatic cables as an example of where organisations had failed to keep up with security threats. Standard data leak prevention technology could have stopped an incident that, according to Campbell, was "preventable".
