IT security budgets are on the rise, reflecting growing concern over data breaches and an increasing need to protect sensitive data, according to Forrester Research.

Ten percent of IT operating budgets is devoted to security in 2008, an increase from 8 percent last year, a Forrester study has revealed.

In a survey of 1,255 security decision-makers at North American companies, 21 percent expect to increase IT security spending in 2009, compared with 6 percent who expect security spending to decrease. The rest will keep their security budgets stable. Those are impressive numbers in this economy, analyst Khalid Kark said in a keynote during Forrester's Security Forum in Boston.

"I remember when the security budget was less than 4 percent of the IT budget," Kark said. "This number is amazing. In this tough economic time, three out of four of us are saying we're going to keep this 10 percent budget and one in five of us are (sic) saying we're going to increase this budget in the next 12 months. Wow, that's great."

If there is a downside for security-minded IT professionals, it's that more money brings greater scrutiny. More red tape, processes and approvals are needed to justify purchases of even relatively minor security products, Kark said. An organisation-wide focus on security also brings higher expectations, and sometimes conflicting expectations from the various departments in a business.

But IT security pros are enjoying greater influence with business executives. Security has been the top priority for CIOs in Forrester surveys for four straight years, and 30 percent of security decision-makers surveyed report having a "dotted-line relationship" with the board or CEO. Another 19 percent report having such direct links to the executive committee.

"We've all been frustrated in making the case for information security, getting [the business executives] to buy in. But I think times have changed," Kark said. "I remember the time when I had to wait two weeks to get a meeting with the CIO, let alone the CEO."

Kark attributes this change in attitude partly to data breaches and resulting media coverage and lawsuits that focus public scrutiny on information security. But the shift has also occurred because IT professionals have spent years arguing that security deserves greater attention, and CEOs are starting to get it, he said.

The challenges of security are numerous, and include protecting customer information and corporate intellectual property while developing disaster recovery capabilities, Kark said. Businesses must also decide whether it's appropriate to merge IT security with physical security. While that convergence makes sense in some cases, in other businesses the two types of security are operated so differently that a convergence creates more problems than it solves, Kark said.