That complacency could partially explain why so many organizations have decided to defer security spending. This year, 51 percent of respondents said they were postponing security-related capital expenditures, up from 46 percent last year. Operating expenditures didn't get by unscathed either, with 48 percent of respondents saying they've deferred projects. That's up from 43 percent.

That's not to say respondents aren't spending on security. They are, and they're focusing on protecting Web attack vectors and deploying technologies that aim to prevent attacks. Investment in application firewalls grew from 72 percent to 80 percent in the past year, and investment in malicious-code-detection tools rose from 72 to 83 percent.

"It's good to see the investment in technologies," says Lobel. "However, the data shows they're not making investments in the processes necessary to make sure security policies are in place so [technology] works in sync to defend the enterprise."

Robert Fecteau, business technology officer at BAE Systems Intelligence and Security, calls the security budget cuts shortsighted. Security breaches can leak product designs, ruin reputations and make a company less competitive, he points out. "If your systems are penetrated, everything that you thought you saved in budget cutbacks will be lost."

in CIO's Data Management Drilldown.