Getty Images
Cybersecurity budgets lose momentum in uncertain economy
Organizations' increasing prioritization of cybersecurity has protected most programs from major budget cuts. Even so, many CISOs are feeling the pinch.
Cybersecurity budgets are relatively resilient to economic dips, many experts say, as today's businesses remain keen to avoid costly cyber attacks during downturns.
Yet, security programs are not impervious to budgetary pressures. As organizations continue to grapple with economic instability, many CISOs face new security spending constraints, according to a recent report from IANS and recruiting firm Artico Search.
More than one-third of CISOs reported flat or shrinking cybersecurity budgets in 2023. And, while cybersecurity budgets grew 6% on average, that number was down from 17% the previous year. A survey by PwC suggested a similar outlook for 2024, with 79% of organizations increasing their cybersecurity budgets -- but just one in 10 doing so by at least 15%.
Dennis Brown, senior software engineer at gamified language learning app Ling, said he is seeing a modest but welcome increase in his 2024 cybersecurity budget.
"While I hoped for more, in an uncertain climate, any rise is positive," Brown said. "It reflects a commitment to security."
Cuts hit tech budgets before cybersecurity budgets
Cybersecurity made up a steadily growing proportion of total IT costs between 2020 and 2024, according to the IANS research. On average, cybersecurity budgets accounted for 11.6% of total IT spending in 2023, up from 8.6% in 2020.
This is, in part, because tech budgets are experiencing bigger cuts than cybersecurity budgets, the researchers suggested. They also noted the continuing commoditization of IT, making it more affordable, even as cybersecurity technology becomes more complex and costly.
Notably, the proportion of IT budgets organizations devoted to cybersecurity varied significantly across organizations and sectors. At one end of the curve, tech firms spent 19.4% of their total IT budgets on security, while retail companies spent just 7.2%.
CISOs feel the pinch
Although cybersecurity is increasingly a top priority for businesses of all types and sizes, economic factors, such as inflation and fears of a global recession, have led to organization-wide belt-tightening at many companies.
"Security is not immune to the economic woes that impact the overall financial situation of their company," said Steve Martano, partner in Artico Search's cybersecurity practice, in the IANS report.
Harman SinghDirector, Cyphere
Harman Singh, director at cybersecurity services company Cyphere, said he has observed security leaders under growing pressure to justify their budgets. As a result, he added, many are looking at ways to reduce costs, such as automation and security tool consolidation.
"CISOs will need to be strategic about their spending and focus on investing in areas that will have the biggest impact on their organization's security posture," Singh said. Increasingly, security leaders are letting data drive these decisions, he added.
In calculating cybersecurity ROI, avoid vague arguments that a particular investment helped prevent a costly -- but purely hypothetical -- security incident, recommended Jerald Murphy, senior vice president of research and consulting at Nemertes Research.
Rather, Murphy advised, pull concrete data from sources such as log files and event tickets, along with estimates of the organization's hourly revenue and a typical cybersecurity analyst's hourly pay. Then, calculate how an investment has affected quantifiable security metrics, such as the following:
- Number of security events and their severity levels.
- Incident response times.
- Time to remediation of incidents.
- Security staff efficiency and productivity.
Most cybersecurity budget bumps are reactive
Independent security analyst Nathan Jacobs said one of his clients, a cryptocurrency media group, recently decided to increase its cybersecurity budget after experiencing a major internal security incident. "It was a real eye-opener," Jacobs said.
In response, the organization decided to make significant new investments in security infrastructure, advanced threat systems and security awareness training.
IANS found that, among firms whose cybersecurity budgets grew in 2023, four in five reported the increases were reactive rather than routine. They cited the following primary drivers:
- 17% -- Growing cyber-risk.
- 15% -- Digital transformation.
- 12% -- M&A or other organizational change.
- 8% -- Change in risk appetite.
- 8% -- Major industry disruptions, such as high-profile data breaches.
Cybersecurity budgets forecast
According to the PwC survey, one in five organizations is seeing its 2024 cybersecurity budget shrink or stagnate. Overall, however, experts anticipate security and risk spending will continue to grow -- 14% in 2024 by Gartner's estimate.
"While the specific budget allocation for cybersecurity may vary from organization to organization, the overall trend is clear," said Joseph Harisson, CEO of IT Companies Network, an online directory of service providers. "Businesses are investing heavily to protect their assets and data."
Major drivers of growing cybersecurity budgets, despite ongoing economic uncertainty, include the following, Harisson said:
- Increasingly sophisticated cyberthreats.
- Expanding attack surfaces.
- Rising regulatory scrutiny.
- Board-level recognition of cybersecurity's importance.
Alissa Irei is senior site editor for TechTarget Security. In previous roles at TechTarget, she was a senior writer, features and e-zine editor, and site editor.