A new report from IANS Research and Artico Search shows that the average security budget is only up by 6% this year, a significant reduction from the increases seen in recent years.
Cybersecurity spending is slowing the most in technology firms and the retail sector, but has increased in business services and continues to be a priority for finance firms.
Security budget increases down 65% from last year
The cooling of security budgets appears to be part of a greater pattern of IT budget cuts. Cybersecurity spending also saw a natural spike in previous years due to the pandemic conditions, as organizations shifted everything to the cloud very quickly and weathered corresponding crime waves, something that may be slowing down at this point as workers are herded back to the office.
Security budgets increased by 16% in 2020-21 and 17% in 2021-2022, so the drop to just 6% is substantial (representing a 65% decrease in cybersecurity spending from the prior year). The IANS study surveys over 500 organizations in a variety of industries, and this pattern is not consistent across all sectors. Tech firms saw the biggest drop, slowing from increases of over 30% each year to just 5% this year. Many stayed at similar numbers but several, such as business services and manufacturing, actually continued to proportionally increase security budgets again this year. The report chalks up some of this discrepancy to program maturity.
In total, 37% of security budgets stayed flat or declined this year, up from 21% last year. Of those that saw decreases, CISOs reported that it was not uncommon for cybersecurity spending that had previously been approved for 2023 to suddenly be slashed in Q4 2022 as companies began implementing organization-wide belt-tightening programs.
When security budgets do increase, the vast majority of CISOs indicate that it is in response to an “extraordinary circumstance,” such as a serious breach or a major disruption that impacts the whole industry. In these cases, cybersecurity spending increases by 18% to 27%, a little above the increases of the previous two years.
Cybersecurity spending is also tilting toward hiring and away from tools, with a 16% increase in resources allocated specifically to bringing in new people. As another indicator of program maturity having an influence on priorities, CISOs tend to report that the organization now has its desired tools in place but is still struggling to find enough qualified people to man all the necessary posts.
The security share of the overall IT budget continued a slow rise that has taken place over the last four years, now at 11.6% on average. This is another area in which there is disparity between industries, however, with tech and finance devoting much more of their IT budgets to security than retail and health care (something of a surprise given how heavily the latter has been targeted as of late).
Cybersecurity spending impacted by inflation, recession fears
Recent company-wide cuts have been fueled by the continuing problem of inflation, projections of a recession kicking off sometime from late 2023 to mid-2024, and general global financial uncertainty. Cybersecurity spending has obviously not been spared this, but certain specific elements continue to see vigorous spending as the threat landscape remains more active than in the pre-pandemic years.
Staff and compensation represent the largest share of security budgets for all organizations (at 38%), but this number goes up substantially (to 47%) when firms are fully reliant on cloud-based architecture. However, there is little change from the overall average when “most” of the architecture is based in the cloud.
IANS Senior Research Director Nick Kakolowski observes that, though companies still have particular points of security focus and that security budgets are increasing in their share of overall IT spend, the situation is not adequate to keep up with the increase in workload and responsibility that security teams are now facing. Very recent compromises of multiple crypto platforms along with major companies such as Caesars, MGM and Clorox demonstrate that cybersecurity spending may well not be adequate at many organizations even with continued year-over-year budget increases.
This follows an August report from YL Ventures that surveyed Fortune 1000 CISOs. 33% of those surveyed said cybersecurity spending had decreased, while another 33% said that their security budgets were unchanged. A whopping 75% said that cloud security was one of the highest priorities of the moment. That report was more favorable to vendors, however, with 45% of CISOs saying they were open to pitches on new technology solutions from any source and 70% saying that automation is a priority. An April Gartner report additionally suggested that the next few years will see organizations shift heavily to internal “quiet hiring” and promotions to address the personnel gap.