Cybersecurity spending trends for 2022: Investing in the future
- 14 January, 2022 15:15
Enterprise spending on cybersecurity is expected to hold steady in 2022, as studies show that nearly all CISOs are getting a budget increase or level funding in the new year—only a small fraction of security chiefs will see their budgets fall.
CSO’s 2021 Security Priorities Study found that 44 per cent of security leaders expect their budgets to increase in the upcoming 12 months; that’s a slight bump-up from the 41 per cent who saw their budgets increase in 2021 over 2020.
Fifty-four per cent of respondents say they expect their budgets to remain the same over the next 12 months. Only 2 per cent said they’re expecting a decrease—a much smaller figure than the 6 per cent who saw their spending drop from 2020 to 2021.
Other research has found similar trends for next year.
According to PwC’s 2022 Global Digital Trust Insights report, “investments continue to pour into cybersecurity” with 69 per cent of responding organisations predicting a rise in their cyber spending for 2022. Some even expect a surge in spending, with 26 per cent saying they anticipate a 10 per cent or higher spike in cyber spending for the upcoming year.
Meanwhile, tech research and advisory firm Gartner estimated that spending on information security and risk management will total US$172 billion in 2022, up from US$155 billion in 2021 and US$137 billion the year before.
Despite the steady state of funding, CISOs aren’t going to be flush with cash. Security leaders and executive advisors say security departments must continue to show that they’re delivering value for the dollars spent, maturing their operations, and, ultimately, improving their organisation’s security posture.
“Organisations know that risks are increasing every day, and as such, investments continue to pour into cybersecurity,” says Joe Nocera, leader of PwC’s Cyber & Privacy Innovation Institute.
“We’re hearing from business leaders that they’d be willing to spend anything to not end up on the front page of a newspaper for a hack, but they don’t want to spend a penny more than is necessary and they want to make sure they’re spending their money in the right areas.
"That’s going to require the CEO and CISOs to work together. CISOs need to know what the right level of protection is.”
Nocera adds: “Cyber investments are becoming less about having the latest products from tech vendors and more about first understanding where the business is most vulnerable, then prioritising investments by how likely an attack will occur and how substantial that loss could be to the business.”
Trends driving the budget
Sam Rehman, CISO for EPAM Systems, says cybersecurity budgets for 2022 reflect the ever-increasing interest from the rest of the executive team and the board in the enterprise cybersecurity program.
According to the PwC report, “Organisations know that risks are increasing. More than 50 per cent expect a surge in reportable incidents next year above 2021 levels.”
Rehman says the volume of attacks is only one of the factors that have many organisations boosting their security spend. He says executives also see the significant impact breaches have. And how the ease of monetising attacks in the age of anonymous cryptocurrency keeps attackers well motivated.
“Those three things have upped the game,” he says.
In response, corporate leaders now want to know that they’re adequately defending their organisations and that they can adequately respond to an attack; they want both protection and resiliency. They’re coming to understand that there’s no such thing as 100 per cent defended, but that a strong defense can buy time—time to detect, respond and recover before significant (or even any) damage is done.
“The majority of organisations will significantly boost their spending budgets in order to protect themselves and their customers against cyberattacks,” Nocera adds.
At the same time, security leaders say they’re feeling pressure from external entities, in addition to their C-suite colleagues and board members, to deliver results. They’re hearing from customers, business partners, and regulators that security is top of mind for them, too.
Kyle H. Lai, who as president of KLC Consulting serves as a virtual CISO for three mid-size companies, points to President Biden’s May 2021 Executive Order to beef up the nation’s cybersecurity as one factor influencing security budgets. He also cites the growing list of country- and state-issued consumer data privacy acts and other legislative actions as factors influencing how much money CISOs need and where they’ll spend it.
“These [regulatory and legislative actions] are important to a lot of companies because they’re going to have to meet these requirements, especially the companies working with the federal government or the Department of Defense,” Lai says.
Survey findings back up those observations.
According to CSO’s Security Priorities Study, 49 per cent of respondents cited best practices as a determining factor on their security spending and 49 per cent also cited compliance, regulations, or mandates as a determining factor—earning those two categories a tie for the top spot on the list.
Those were followed by the need to address the evolving risks posed by changing workforce or business dynamics—notably hybrid and remote work (41 per cent); addressing risks that result from digital transformation such as the move to the cloud (38 per cent); responding to a security incident that happened in their own organisation (35 per cent); and responding to a security incident that happened in another organisation (25 per cent).
Those factors correlate to where CISOs expect to spend their money in the upcoming months.
CSO’s survey showed that spending is spread over a number of areas, with 20 per cent allocated to on-premises infrastructure and hardware, 19 per cent to skilled staff, and 16 per cent to on-premises tools and software—all of which provide the foundation for delivering security services to the enterprise.
Those priorities are followed by cloud-based security solutions (10 per cent), consulting services (7 per cent), cloud-based security monitory services (7 per cent), security awareness training (7 per cent), contracted evaluation services (6 per cent), and external incident response services (5 per cent ).
Read more on the next page...
Gartner’s latest forecast for information security and risk management spending further detailed where the cash is going: nearly US$77 billion will go to security services in 2022, making it by far the biggest of the spending categories; US$30 billion will go to infrastructure protection; US$19 billion to network security equipment; and US$17 billion to identity and access management.
Other areas getting big budgets include application security (US$6.6 billion), integrated risk management (US$6.4 billion), data security (US$4 billion), software (US$2.7 billion) and cloud security (US$1.4 billion).
Shawn Eftink, senior director analyst for emerging technologies and trends at Gartner, says CISO spending can be grouped into four big areas.
The first supports location-independent security, which creates a cybersecurity program that considers identity as the de facto perimeter that needs to be protected.
The second supports the evolution of the security organisation. Eftink says security departments are facing intensifying scrutiny as boards get more directors with cybersecurity experience; those board members want to see both increased efficiencies and demonstrable maturing of the security function, with decreased security product complexity being key to delivering on those expectations.
The third bucket features evolving technologies; organisations are spending more on emerging and maturing security technologies, such as breach and attack simulation tools, as well as the technologies needed to secure their growing cloud environments.
And last is outsourcing, spending that helps them bring efficiencies to their security operations as well as cope with internal staffing challenges.
Other security leaders have similar observations. They say CISOs are investing in access and identity management software, authentication technologies such as role-based access control (RBAC), user behavior analytics, and microsegmentation to support their maturing zero trust architecture. CISOs are spending on cloud security solutions. They’re buying automation and analytics to deal with the vast scale of security data more effectively and efficiently. And they’re engaging managed security services providers (MSSPs) to augment their own staff’s efforts.
“Identity and access management, third-party risk management, real-time intelligence and zero trust are all big areas of security investment,” Nocera says.
CEOs, in PwC’s 24th Annual Global CEO Survey, cited cyber threats as the No. 2 risk to business prospects, second only to pandemics and other health crises. CEOs in North America and Western Europe put cyber as No. 1.
Yet at the same time, experts say CEOs aren’t willing to write blank checks to their CISOs. The security chiefs’ own budgets for 2022 reflect that fact.
That’s with good reason, experts say.
“Spending doesn’t necessarily equate to security,” Eftink says, sharing an oft-repeated idea in the profession.
In fact, he says CISOs can expect that they’ll have to continue driving efficiencies and become more effective with either the same or minimally increasing budgets. And to do that they’re going to have to continue to shift security left, to embed it from the start into the operational processes and digital products that power the business and to weave security into the very fabric of their organisations.
“The majority of what has to happen is a transition of thinking: Security has to be an embedded piece, it can’t be an afterthought. A paradigm shift has to happen,” Eftink says.
“As companies allocate money to address these problems, they also need to build systems that are integrated across the company, making cybersecurity everybody’s business, not just the CISO or IT team,” he says. “Ultimately, strong companywide cybersecurity operations can build trust within companies, stakeholders, and consumers, becoming a competitive differentiator.
"The costs companies are fronting today to strengthen their systems should be thought of as investments in their future business models.”