Despite the impact that cyber incidents have on an organization’s overall business operations, security spending remains within the purview of the IT budget, albeit a small part.
In 2022, IT security made up just 5.2% of IT budgets, according to research from Gartner.
Yet, as small as that percentage looks, it is an improvement from the year before. Risk reduction is a driver for this increase, Gartner found.
Corporate leadership tends to have a low risk tolerance when it comes to protecting business assets. However, in recent years company officials have started to see cyber risk as a real threat to the organization’s reputational and financial interests.
Though there are constraints around cybersecurity budgets — and overall IT budgets, if you look at the big picture — the C-suite is becoming more invested in preventing cyber risk.
“Organizations are now better educated on the risks that exist within their application landscape affecting transactions and data and are taking action to secure those applications for both security and compliance purposes,” said Piyush Pandey, CEO at Pathlock.
Companies are making hard decisions about how to spend their budgets, though there is a broader understanding of what effect cyber risk or an incident can play. Leadership is always looking at ways to offset costs by getting rid of other products in favor of newer — and better — functionality.
“CISOs and CIOs are invested more in optimizing and reducing the cost of security operations — fewer tools, fewer FTE spend for operating different tools, more automation, and increased focus on consolidation,” said Roy Akerman, co-founder and CEO at Rezonate.
The economic impact
The rise in security spending comes as the economy is slowing down. Many organizations are downsizing and examining where and how they spend money. IT is not immune to economic uncertainties, and companies are growing more thoughtful about their tech assets.
“We see a priority being placed on solutions that have a clear path to ROI within months, not years,” said Pandey.
This has led to less willingness to try new products and solutions, with leadership focusing on more predictable options with fewer security and tech personnel on staff to keep systems running.
Instead, organizations are designing their security spending around what will keep the business secure and operations running smoothly.
“CISOs and CIOs are trying to maximize their investments knowing there will not be any additional headcount to operate them,” said Akerman.
The regulatory angle
No matter how the economy turns, there is a driving factor that will influence security spending: government and industry regulations. Compliance standards play a large role in how organizations think about security spending and where they should focus their budgets.
Cyber incidents are expensive. IBM found that the average cost of a data breach was $4.4 million, a record high, according to the 2022 data breach report. .
However, when companies were also cited with compliance failures, they end up paying more than a million dollars in additional fines and other fees.
Ensuring regulatory compliance is met doesn’t come cheap, especially for industries that have multiple laws they must follow, but it is less expensive to budget for the security costs upfront than to pay for the incident aftermath.
Cyber insurance requirements can add up, too.
“Many organizations that have cybersecurity insurance are required to perform services and upgrade their networks to meet underwriting and policy requirements,” said Byron Rashed, a cybersecurity expert.
Even with the need to meet regulatory compliances and to just keep the network and data safe from attackers, it will always be an uphill climb for security spending to meet security reality.
“Justification of new or upgraded services, solutions, and hardware are under scrutiny to ensure budget dollars are justified,” said Rashed.
As long as that tight scrutiny remains, security budgets will take a backseat in overall IT spending.