Nothing gets a rise out of security vendors like a good story about under-investment and spending cuts by the very enterprises that a hundred headlines a week tell us are being plundered by cyber-criminals at will.

But there it is in black and white – a global survey of 9,700 CEOs, CTOs, CFOs and CIOs by normally sober consultant PwC found an unexpected four percent drop in security budgets last year compared to 2013, leaving investment “stalled” at 3.8 percent of all IT spending.

This is a surprise because everyone knows security is going to hell in a handcart. The Chinese are at it, the Russians are at it, a million self-employed cyber-criminals are at it while even America’s own NSA raids its friends using a sinister horde of J. Edgar Hoovers with PhDs in advanced encryption. What in the hell are the businesses thinking of by recklessly CUTTING spending?

Within an hour of the report being made public, a wave of disappointed comment from security companies washed through the inboxes of journalists.  Without naming the vendors, the tone of the comments repeated itself over and over; things are getting worse, there are more attacks, spending should be rising and not falling.  

In fact PwC’s report offers nuanced context for this apparent fall that the commenters obviously didn’t bother to read. Security spending actually rose sharply in the previous period, with investment up by 51 percent in 2013 alone. Overall, security investment rose for three years in a row before 2014.

“It could be that this year’s respondents were hard-pressed to continue investments at that accelerated pace,” suggested PwC’s researchers, reasonably.

Most of the spending fall was in SMBs with revenues under $100 million (£60 million), which saw a 20 percent drop. By contrast, medium-to-large companies increased their investment by 5 percent. Some sectors saw large security spending increases, including healthcare (+66 percent), oil and gas (+15), and utilities (+9 percent). So spending fell in some places but rose elsewhere.

PwC wonders whether the drop among smaller firms is caused by security fatigue. There have never been more types of attack but there have also never been more products to defend against attacks. Faced with this overload, SMBs are struggling to make choices based on conventional RoI. As likely, says PwC, with security skills in short supply bigger firms could be buying up the talent needed to deploy all this good stuff, leaving smaller companies short of smarts.

But is is even the case that simply pouring more money into security is a good strategy in the first place? Customers might be starting to have doubts.  For instance, the root causes of the security breaches that have humiliated the US retail sector in the last two years are diverse, but it's hardly a coincidence that US point of sale terminals (POS) capture the credit cards details for each customer 'in the clear'. This is a problem of lousy security design and can’t be solved by hiring a few more heads or buying another security appliance.

Arguably, then, the US retail sector brought some of this on itself by not accelerating the adoption of more secure EMV technology, used in Europe. This battle wasn't lost in 2013, it was lost a decade earlier when card networks and retailers sat down to talk about the future. 

As for security vendors, its can sound paradoxical to bemoan a fall in the amount of money being pushed at security when that is precisely the argument many of them use to advertise their systems. And the vendors are right – as security systems become better integrated and more automated they require less management which means fewer expensive experts sitting in front of keyboards.  

Wasn't getting more protection for the same or less money supposed to be the whole point of investing in security?