Meanwhile, cybercrooks are targeting companies with increasingly sophisticated—and successful—attacks. For example, Symantec Corp. said in a report last month that at least $1.7 billion worth of bank accounts were compromised in the U.S. during the 12-month period that started in July 2007.

In light of all that, not making cutbacks in antivirus subscriptions and purchases of frontline security tools such as firewalls and network intrusion-detection systems is a no-brainer, security managers said.

Kirby said investments in outbound-traffic inspection tools and controls for locking down portable media devices also are worthwhile because of the heightened risk of insider attacks at a time of increased layoffs. In addition, he thinks that cutting back on disaster recovery and business continuity projects wouldn't be wise.

Whittling away at risk management and compliance oversight functions is another bad idea, said the chief privacy officer (CPO) at a large financial services firm. That could leave companies facing potentially serious consequences for not complying with security requirements, he said.

What to Cut

But there are other areas in which IT and security managers may be able ease up on spending. Kirby said that although intrusion-detection systems are a must-have item, many companies can live without intrusion-prevention tools, which are more sophisticated but also more expensive and harder to manage. He added that biometric security projects can often be postponed.

Paring back on third-party security education and training programs can also yield some extra dollars that can be used for other purposes, said the CPO, who asked not to be identified. "Companies have a lot of vendor-hosted or vendor-provided education programs—kind of, 'Here's how you do data security if you're covered by HIPAA or by PCI,' " he said. According to the CPO, the cost of individual programs can sometimes top $200,000 annually, depending on the number of employees being trained.

Marcin Czabanski, director of IT at LifeSecure Insurance Co. in Brighton, Mich., said companies should also look for ways to move applications -- and their security functions—into the computing clouds offered by vendors such as Google, Microsoft and Amazon.com.

By doing so, Czabanski said, "you can outsource a lot of the headache" of managing and securing desktop applications—and do so for less money than keeping the work in-house.

E-mail is another application that can move to the cloud. The Henssler Financial Group in Kennesaw, Ga., is a user of Google's Postini e-mail security and archiving services. Tim O'Pry, Henssler's chief technology officer, said the arrangement has enabled the financial services firm to offload to Google the hassle and expense of securing its e-mail system.