Cybersecurity Spending Grows

Cybersecurity budgets have largely been protected from the worst consequences of economic uncertainty, but have hardly been untouched by wider trims to company spending.

Source: Dow Jones | Published on October 3, 2023

Howden launches Cyberwrite

Cybersecurity budgets have largely been protected from the worst consequences of economic uncertainty, but have hardly been untouched by wider trims to company spending.

Stubborn inflation and the specter of an economic recession have spooked companies across all sectors, with some pulling back on hiring, cutting head count and in some cases, shutting down operations entirely.

Security, however, is one area where companies appear not to have significantly lowered spending, amid a febrile threat environment that has seen significant attacks against organizations of all sizes in recent years.

“It’s telling that, in a year that was pretty economically challenging, security didn’t plummet in terms of spending,” said Nick Kakolowski, director of research at IANS Research, a cybersecurity advisory group.

Cyber budgets grew this year for the most part, but modestly, IANS found in a study with recruiting company Artico Search. After double-digit increases in 2020 and 2021, the average growth in cybersecurity budgets for 2023 was 6%, according to the survey of 550 security executives. As a portion of overall technology budgets, cyber accounted for 11.6%, the study found. Around 37% of respondents to the survey said their cyber budgets were flat or reduced, the survey found.

Security requests continue to receive priority, said Mary Elizabeth Faulkner, chief information security officer at Thrivent, a financial services provider. Faulkner just received approval to hire four people for her cyber team, she said. “I received a lot of support from the business leaders for that,” she said.

Cybersecurity’s importance to an organization isn’t simply in preventing cyberattacks or safeguarding data, Kakolowski said, but has increasingly become a compliance concern.

Recent rules from the U.S. Securities and Exchange Commission, for instance, will require publicly traded companies to disclose details of cyber incidents and their cyber-risk management programs. Companies in certain critical-infrastructure sectors, such as oil and gas pipelines and hospitals, must comply with cyber regulations from industry bodies and federal agencies. State regulators have been rolling out new rules, including the New York State Department of Financial Services.

Escalating cyberattacks and added compliance burdens mean “you can only go so far in terms of cutting spending, even in a difficult economic situation,” Kakolowski said.

In a report published Thursday, Moody’s Investors Service found that cybersecurity spending by debt issuers rose by 70% from 2019 to 2023. Publicly traded companies were the highest spenders in the survey of over 1,700 public and private-sector organizations, with budgets up 100% during that period.

Digital projects kick-started by the coronavirus pandemic, and their accompanying cybersecurity needs, have survived general spending cuts, said Steve Martano, a partner at Artico. Senior executives and the board of directors support this work, he said, which makes funding easier to secure than discretionary budgets for new tools.

Still, a notable share of security chiefs reported that they must nip and tuck their spending, he said. Some security chiefs are being asked to lay off the lowest performers in a group, or those with duplicative roles, even if they are being spared reductions of 20% or more.

General spending on cybersecurity is increasing dramatically, and will reach $215 billion next year, according to projections from consulting firm Gartner. That would be up 14.3% from $188 billion this year, Gartner said.

While some areas, such as cloud security, data privacy and security, and application security, have seen the largest share of spending growth, Gartner said, all security areas will receive continuing investment next year.

“Security is something that is recognized and seen as important, even by nontechnical or nonsecurity teams,” said Nat Smith, vice president analyst at Gartner.