There was a 65% drop in growth in cybersecurity spending during the 2022-23 budget cycle, according to IANS Research’s 2023 Security Budget Benchmark Summary Report, which found spending in the U.S. and Canada only increased by an average of 6%, down from 17%.
The report also unveiled significant shifts in cybersecurity spending trends, where among the more than 550 CISOs surveyed, 37% reported stagnant or reduced budgets, a notable increase from the previous cycle’s 21%.
Technology companies, which previously experienced 30% growth, faced the most substantial decline, averaging just a 5% budget increase.
In contrast, 63% of organizations reported budget hikes, driven by various factors.
Notably, 17% attributed increases to heightened security risks, while 15% cited digital transformation efforts triggered by industry disruptions or high-profile breaches.
On average, organizations adjusting budgets in response to major incidents boosted their cybersecurity budgets by 27%.
Timothy Morris, chief security advisor at Tanium, pointed out there are multiple reasons for the drop in budgets unveiled in the report.
“The biggest were the inflationary and recessionary pressures,” he explained. “There are traditionally annual ‘haircuts’ with any security or IT budgets, but tougher economic times will cause deeper cuts.”
He added that despite the economic pressures and the current climate of attacks, breaches and regulations, very few want to “go on the record” as cutting security.
“This may be a reason why security budgets didn’t get reduced as much as other budgets,” Morris noted.
He said cloud, automation and AI were where the “transformation” project pressures mostly came from.
“But that can change depending upon the industry and whether or not the entity is private or public,” he added.
As the report pointed out, venture capital and private equity-funded firms are spending more on security.
“Other entities that have higher and visible risks with recent newsworthy attacks and breaches can increase budgets or cause them to be flat at a minimum,” he said. “Lastly, technical debt must still be addressed, and that can consume chunks of budgets.”
Mika Aalto, co-founder and CEO at Hoxhunt, points out zero-trust and cloud security solutions remain popular investments, particularly with companies undergoing digital transformation and expanding attack surfaces.
“Technology investments like firewalls and EDR solutions get a lot of attention and usually seem like the safest play for the C-suite who authorize budgets, but that tech-focused playbook is flawed because it offers lower ROI than investing in people,” he said.
He added that most breaches originated from human error, usually phishing attacks, and human risk management platforms are an emerging category that offered the greatest ROI in terms of resilience.
“Organizations should also leverage data and analytics to measure and communicate their cyber-risk posture and performance to various stakeholders, such as executives, boards, regulators, and customers,” Aalto said.
He noted that cybersecurity risk quantification can help translate technical metrics into business outcomes and support decision-making based on risk appetite and tolerance.
“Reporting can help demonstrate compliance, accountability and transparency in the face of increasing scrutiny and expectations,” he explained.
Andrew Barratt, vice president at Coalfire, said strategically, CISOs need to be fully aware of the health of the organization they’re working in.
“There is a habit amongst new CISOs and senior security leaders to panic buy ‘because everything is really bad,’ so they can show they’ve achieved some quick wins,” he noted. “More mature CISOs are fully dialed into the revenue drivers in their business and focus efforts on a revenue defense mindset.”
From Barratt’s perspective, ensuring that any spending they do when spending is curtailed directly supported revenue enablement or protection.
“This does mean that some outlier risks or potential risks from third parties are being managed contractually or with legal defense,” he said. “Ultimately, they need to be close to the CFO and chief revenue officer to ensure that their perspective of risk is aligned.”
Recent Articles By Author