Cybersecurity budgeting and spending trends 2020: How does yours compare?
Cybersecurity spending grows
Protecting data and assets becomes more complicated as threats evolve. Cybersecurity budgets continue to grow every year, reflecting this complexity. Analyst data shows that spending on cybersecurity is not only growing, but also growing faster than IT spending overall.
Gartner has estimated that worldwide security spending grew 10.5% in 2019, compared to 0.4% growth in IT spending. The Enterprise Strategy Group (ESG) also found that the majority of organizations planned to increase their spending in 2020. Research published recently by ESG showed that 62% of surveyed organizations said they would increase their spending, and only 36% said they would keep budgets flat. Considering that cybersecurity is on top of the agenda for many executives, it’s likely that budgets will keep growing.
How much are companies spending on cybersecurity?
Cybersecurity budgets vary based on industry, company size, business model, risk appetite and various other criteria. But size isn’t necessarily a major factor in how much of the IT budget is dedicated to security. A CIO survey asked nearly 700 IT executives how much of their IT budget went to security, and the mean answer, regardless of company size, was 15%.
As a rough benchmark, a Cisco Security report determined that 46% of midmarket organizations (with 250-999 employees) spent less than $250,000 in 2019, while 43% spent $250,000 to $999,000. For larger companies (1,000–9,999 employees), the most common spend was $250,000–$999,999, while large enterprises with more than 10,000 employees were more likely to spend over $1 million on their security programs.
What are the security spending priorities?
As new threats emerge, organizations change their security priorities accordingly. Digital transformation also plays a role, especially as organizations continue to shift infrastructure, workloads and applications to the cloud.
Another factor that impacts security budget allocations is regulatory compliance. With new laws such as the European Union’s General Data Regulation Protection (GDPR) and the California Consumer Privacy Act (CCPA) bringing financial risk due to potential fines, compliance becomes a priority even for previously unregulated industries.
Based on a survey of 450 IT and security leaders, the five leading factors for cybersecurity spending in 2020 are:
- Regulatory compliance (69% of responses)
- Reducing incidents and breaches (59%)
- Keeping up with the evolving threats (57%)
- Maintaining reputation in the industry (43%)
- Investigating and responding to events and incidents (40%)
Additionally, the survey found four factors that will disrupt security programs the most in the next 12 months:
- Increased use of hybrid cloud and public cloud infrastructure-as-a-service
- New threats from bad actors
- Developing regulations for security and privacy
- Talent recruitment and retention challenges
Growing priority: Securing the cloud infrastructure
Gartner forecast the cloud services market to grow 17% globally in 2020. While software-as-a-service (SaaS) is the largest segment in that market, infrastructure-as-a-service (IaaS) has the highest growth. With organizations moving more of their workloads and applications to the cloud, they’re putting more emphasis on monitoring cloud security, improving authentication and adding capabilities provided by cloud access security brokers (CASBs), such as malware detection and policy enforcement.
SaaS and IaaS vendors provide a variety of robust security features for their services and many invest heavily in continuous enhancements. However, in the event of a data breach, your organization is ultimately responsible. This is why your budget should include additional cloud security measures such as access controls and policy enforcement, encryption and tokenization, multifactor authentication and traffic inspection.
Threat detection and response focused on network monitoring
Network security remains a top priority when it comes to detecting and responding to new threats. In the SANS survey, half of the IT and security leaders identified network detection and response tools as an area of increased budget spending with the goal of fighting new threats. Conversely, 43% of respondents to the ESG survey said that among network infrastructure capabilities, network security would have the greatest impact on their organizations’ ability to grow their business.
One of the emerging challenges of securing the network is the proliferation of the Internet of Things, since IoT devices have limited embedded security. At the same time, threat actors are targeting IoT devices more. Kaspersky, for example, found an increase in the number of malware targeting IoT in 2019 when compared to 2018.
The need for continuous network monitoring grows even more if you have a remote or mobile workforce accessing your data and network from anywhere. This became especially urgent during the COVID-19 pandemic, when many organizations had to transition their entire workforce to working from home, testing the resiliency of their network defenses.
Other top areas of investment
Besides network and cloud security, some other areas of heavy investment include:
Endpoint protection: Endpoint detection and response was the third top priority in fighting new threats. Additionally, a 2019 AT&T Cybersecurity survey found that 76% or organizations found endpoint security more important compared to 12 months before, and 41% increased their endpoint security budget.
Employee training: In the SANS survey, staff skills training was ranked in the top three categories for spending increase in the areas of cloud security, protection against new threats, and privacy and security regulatory compliance. Since the complexities of IT environments are constantly growing, ensuring that your security analysts, engineers and other specialists have current knowledge is one of the best ways to keep up with best practices.
Strong authentication: Authentication is another top priority, based on a Microsoft survey which found that 59% of 100 IT executives across industries planned to invest in or expand their multifactor authentication in 2020. More organizations are also adopting a zero-trust approach, which is based on the premise that no device, connection or user should be trusted until it’s authenticated.
How should you budget?
Since technology is only part of an effective security strategy, your budget needs to take a holistic look at your people, processes and tools. And while trends may be an indicator of how your budget compares, even more important is to know your objectives. Then you can measure how well your existing efforts are working and identify the gaps where you may need to shift more resources.
- Gartner Says Global IT Spending to Grow 3.7% in 2020, Gartner
- How much should you spend on security?, CSO
- The Security Bottom Line: How Much Security Is Enough?, Cisco
- Cybersecurity spending trends, 2020, CSO
- Spends and Trends: SANS 2020 IT Cybersecurity Spending Survey, SANS Institute
- Gartner Forecasts Worldwide Public Cloud Revenue to Grow 17% in 2020, Gartner
- IoT: a malware story, Securelist
- 2019 Endpoint Security Survey Report, AlienVault/AT&T Security
- IT executives prioritize Multi-Factor Authentication in 2020, Microsoft