We’re just ramping up at Forrester to start our 2010 Business Data Services’ Security Survey. To begin, I’ve started taking a measured look at last year’s questions and data. Additionally, I’ll be incorporating input from those analysts with their ears closest to the ground in various areas, and will be considering the feedback from our existing BDS clients.

I also welcome input here into what you would find useful for us to ask of senior IT security decision-makers, as development of the survey is take place over the next three weeks.

The survey is scheduled to be fielded in May and early June—with the final data set becoming available in July. The projected sample size is 2,200 organizations across US, Canada, France, UK, and Germany: split roughly 2:1 between North America and Europe, and with a 55/45 split for SMBs (20-1000 employees) vs. enterprises (1000+ employees). Concurrently, we ask a separate set of questions to respondents from “very small businesses” (VSBs) with 2-19 employees.  We also set quotas around industry groupings, so each industry is appropriately represented. We source our panel from LinkedIn, which provides an excellent quality of respondents.

The Security Survey is an invaluable tool that provides insight into a range of topics critical for strategy decision-making: IT Security priorities, challenges; organizational structure and responsibilities; security budgets; current adoption and across all security technology segments, be they as products or as SaaS/managed services, along with associated drivers and challenges around the technology.

Here are a few valuable data points from last year’s survey:

  • Contrary to popular wisdom, enterprises are adopting managed security services more quickly than SMBs in 9 of the 12 security service categories we asked about
  • IT Security decision-makers expressed even more concern about consumerization (smart phones, web 2.0, etc) than about cloud or virtualization.
  • The level of compliance with PCI showed little progress: from 2007 to 2009, PCI compliance only rose from 46% to 51% among enterprises, and from 35% to 47% among SMBs. North American organizations are still not where they should be, and the level of PCI compliance in Europe is especially poor.
  • “Managing vulnerabilities and complex threats” moved several slots up the ranks to become the #2 IT security priority


Naturally, we try to keep a lot of the survey the same year to year so we get useful trending data. But there are also several areas we’re thinking about adding or delving into more deeply, such as:

  • Emerging security issues: securing the cloud, cyber-security and critical infrastructure protection, and security associated with “smart” initiatives
  • More insight into data breaches: not just the number and average cost, but the vector for data loss and the indirect impact (loss of customers, bad publicity, etc.)
  • Security policy and technologies in place or planned to address both mobility and adoption of Web 2.0

If you have anything to share, please reach out to me through this blog or directly at jpenn@forrester.com