Enterprise spending on cybersecurity is expected to hold steady in 2022, as studies show that nearly all CISOs are getting a budget increase or level funding in the new year—only a small fraction of security chiefs will see their budgets fall.
CSO’s 2021 Security Priorities Study found that 44 per cent of security leaders expect their budgets to increase in the upcoming 12 months; that’s a slight bump-up from the 41 per cent who saw their budgets increase in 2021 over 2020.
Fifty-four per cent of respondents say they expect their budgets to remain the same over the next 12 months. Only 2 per cent said they’re expecting a decrease—a much smaller figure than the 6 per cent who saw their spending drop from 2020 to 2021.
Other research has found similar trends for next year.
According to PwC’s 2022 Global Digital Trust Insights report, “investments continue to pour into cybersecurity” with 69 per cent of responding organisations predicting a rise in their cyber spending for 2022. Some even expect a surge in spending, with 26 per cent saying they anticipate a 10 per cent or higher spike in cyber spending for the upcoming year.
Meanwhile, tech research and advisory firm Gartner estimated that spending on information security and risk management will total US$172 billion in 2022, up from US$155 billion in 2021 and US$137 billion the year before.
Despite the steady state of funding, CISOs aren’t going to be flush with cash. Security leaders and executive advisors say security departments must continue to show that they’re delivering value for the dollars spent, maturing their operations, and, ultimately, improving their organisation’s security posture.
“Organisations know that risks are increasing every day, and as such, investments continue to pour into cybersecurity,” says Joe Nocera, leader of PwC’s Cyber & Privacy Innovation Institute.
“We’re hearing from business leaders that they’d be willing to spend anything to not end up on the front page of a newspaper for a hack, but they don’t want to spend a penny more than is necessary and they want to make sure they’re spending their money in the right areas.
"That’s going to require the CEO and CISOs to work together. CISOs need to know what the right level of protection is.”
Nocera adds: “Cyber investments are becoming less about having the latest products from tech vendors and more about first understanding where the business is most vulnerable, then prioritising investments by how likely an attack will occur and how substantial that loss could be to the business.”
Trends driving the budget
Sam Rehman, CISO for EPAM Systems, says cybersecurity budgets for 2022 reflect the ever-increasing interest from the rest of the executive team and the board in the enterprise cybersecurity program.
According to the PwC report, “Organisations know that risks are increasing. More than 50 per cent expect a surge in reportable incidents next year above 2021 levels.”
Rehman says the volume of attacks is only one of the factors that have many organisations boosting their security spend. He says executives also see the significant impact breaches have. And how the ease of monetising attacks in the age of anonymous cryptocurrency keeps attackers well motivated.
“Those three things have upped the game,” he says.
In response, corporate leaders now want to know that they’re adequately defending their organisations and that they can adequately respond to an attack; they want both protection and resiliency. They’re coming to understand that there’s no such thing as 100 per cent defended, but that a strong defense can buy time—time to detect, respond and recover before significant (or even any) damage is done.
“The majority of organisations will significantly boost their spending budgets in order to protect themselves and their customers against cyberattacks,” Nocera adds.
At the same time, security leaders say they’re feeling pressure from external entities, in addition to their C-suite colleagues and board members, to deliver results. They’re hearing from customers, business partners, and regulators that security is top of mind for them, too.
Kyle H. Lai, who as president of KLC Consulting serves as a virtual CISO for three mid-size companies, points to President Biden’s May 2021 Executive Order to beef up the nation’s cybersecurity as one factor influencing security budgets. He also cites the growing list of country- and state-issued consumer data privacy acts and other legislative actions as factors influencing how much money CISOs need and where they’ll spend it.
“These [regulatory and legislative actions] are important to a lot of companies because they’re going to have to meet these requirements, especially the companies working with the federal government or the Department of Defense,” Lai says.
Survey findings back up those observations.
According to CSO’s Security Priorities Study, 49 per cent of respondents cited best practices as a determining factor on their security spending and 49 per cent also cited compliance, regulations, or mandates as a determining factor—earning those two categories a tie for the top spot on the list.
Those were followed by the need to address the evolving risks posed by changing workforce or business dynamics—notably hybrid and remote work (41 per cent); addressing risks that result from digital transformation such as the move to the cloud (38 per cent); responding to a security incident that happened in their own organisation (35 per cent); and responding to a security incident that happened in another organisation (25 per cent).
Those factors correlate to where CISOs expect to spend their money in the upcoming months.
CSO’s survey showed that spending is spread over a number of areas, with 20 per cent allocated to on-premises infrastructure and hardware, 19 per cent to skilled staff, and 16 per cent to on-premises tools and software—all of which provide the foundation for delivering security services to the enterprise.
Those priorities are followed by cloud-based security solutions (10 per cent), consulting services (7 per cent), cloud-based security monitory services (7 per cent), security awareness training (7 per cent), contracted evaluation services (6 per cent), and external incident response services (5 per cent ).
Read more on the next page...