A Look at Cyber-Security Spending in 2019: Where Budgets are Increasing and Why
Last month Dark Reading published a roundup of 2019 cyber-security spending outlooks from the likes of Gartner, Forrester, and InformationWeek.1
In general, they all agree that there are three drivers for cyber-security spending: (1) security risks; (2) business needs; and (3) industry changes. Data privacy concerns are also becoming a key factor, driving market demand for security services through 2019. Additionally, data privacy will impact a variety of segments, such as identity and access management (IAM), identity governance and administration (IGA), and data loss prevention (DLP).
While these analysts and publications share different opinions on the priorities in 2019 budgets, they all agree security spending is on the rise and will continue to be an urgent focus this year and beyond.
So, how much do companies spend on cyber-security? After reviewing the roundup, we thought it would be valuable to summarize our key takeaways and observations. Let’s dive in and see how your 2019 cyber-security spending compares.
Cyber-Security spending is outpacing general IT spending
And by a lot. According to Gartner cyber-security experts, worldwide spending on IT security will jump 8.7% this year, up $124 billion.2 Compare that to general IT spending, which Gartner expects to grow by only 3.2% this year.
Of course, the main driver of this spending is cybersecurity concerns as well as changes in regulations. Research support this: 56% of companies report that they have increased security concerns while 37% report they must focus on recent changes to regulations. All of this results in the need to invest more in detection and response capabilities, especially innovative solutions that overcome traditional challenges and address digital business risks.
Compliance is also a major factor as companies must meet privacy regulations such as GDPR. A recent Spiceworks survey shows IT leaders agree with the Gartner cyber-security findings, as two of the top five factors leading to increased IT budgets are increased security concerns and changes in regulations.3 The Spiceworks survey also noted an increase in spending on managed security services, a topic we’ll cover in an upcoming blog.
A recent Forrester cyber-security research report noted that, while overall cyber-security spending is on the rise, it is skewed toward certain industries.
- Critical infrastructure firms will be 2019’s big spenders. A full 32% of respondents at utilities and telecommunications firms are in the highest security spending bracket — the highest percentage across the industries we studied. In contrast, just 18% of respondents at manufacturers are in the highest security spending bracket.
- Healthcare and financial services lag. Despite having hordes of personal data to protect, 31% of respondents in the healthcare and financial services industries spend 0% to 10% on security. A key risk for organizations with lower spending is that a lack of monitoring capabilities gives them a false sense of security; however, regulatory pressure in these industries helps to counter some of that risk.
To learn more, download our How-to Guide: Successfully Complying with Data Privacy Regulations today.
Security is a top consideration in digital transformation
When business and IT leaders talk about digital transformation in their organizations, the focus is frequently on cloud computing, artificial intelligence, IoT, and mobile solutions — those technologies that could potentially transform the larger business.
Yet a recent Altimeter survey showed that decision makers not only include cybersecurity among their top considerations when it comes to digital transformation, but it is also their second biggest investment priority, just below the cloud.4 Yet is important to note that organizations can invest in all the transformative technologies in the world, but it is all meaningless if they can’t protect the business, its customers, or other vital assets.
A growing number of CIOs, CEOs, and even board members are focusing on digital transformation, evidence that they now view digital initiatives as more than cost centers or projects that may prevent employees from driving value through the organization.
Again, it comes back to compliance. A major driver of the cyber-security spending for digital transformation is the importance of regulatory and compliance standards. This trend is up 102% over 2018 and can easily be attributed to data privacy laws like GDPR (as well as the continued growth of cyber-threats and data breaches). To address this, cybersecurity technologies now comprise nearly 35% of companies’ highest priority technology investments. Only cloud technologies ranked higher at 37%.
2019 is the year of security services
A recent Forrester security report showed that last year spending on security services overtook product investments, and the cyber-security spending trend is expected to increase in 2019.5 And Gartner predicts that security services are expected to represent at least 50% of security software delivery by 2020. Why? Many large and mid-size businesses are recognizing security requires more than just a technology investment. Service organizations bring technology, expertise, and resources to the table in a way that may be a more cost-effective alternative to trying to manage all of this internally. Security services also enable client organizations to share accountability with experienced partners.
Organizations with midrange security budgets tend to spend more on services. Given that these organizations are more likely to report multiple breaches, it appears there is value seen in services as a means to improve the company’s overall security posture and ability to respond to threats.
Another reason for services is the extreme lack of security talent and or talent without the right skills. Over 22% of security decision-makers cite lack of resources as a major challenge. Finally, keeping up with advancements in cybersecurity technology is also a key consideration in using outside service providers rather than hire, retain, and manage staff.
How organizations measure cyber-security ROI is evolving
Not surprisingly, security leaders are recognizing a product’s ability to lower risk and help organizations remain in compliance as critical areas of investment. For many, these are now top metrics. One out of three organizations says they use external third-party audits to validate the efficacy of their security investments.
Forty-three percent of the organizations polled said they evaluate the effectiveness of their cyber-security spending based on their ability to reduce risk, and 40% cited their ability to remain in compliance with legal and regulatory requirements. This is a shift in attitude toward cyber-security spending, which historically has been motivated by operational and tactical considerations like breach mitigation, IP protection, and incident response.
While organizations said they are measuring the value of security investments based on the ability to reduce risk, many do not have the mechanisms in place to measure either their exposure to risk or the effectiveness of their controls for reducing that exposure. Only 41% believe they have an effective process for measuring cyber-risk in the coming year, and 59% do not have any risk assessment or risk analysis practice at all currently. Less than half (48%) said they can effectively measure how well their security strategy is working. The investments in security controls have not helped alleviate some other concerns.
The survey findings on security operations center trends in a SANS cyber-security report from 2017 highlights the fact that those organizations that leverage a NOC that is separate from the SOC will need to consider different ROI measures. One of the biggest challenges is the lack of visibility between the two functions: 80% of SANS cyber-security report respondents indicated that they experienced barriers in effective reporting and full visibility into risk posture. These two groups will need to focus on coordination and effectiveness as well as being able to detect previously unknown threats.
How CSPi can help
If your top priorities for cyber-security spending align with these takeaways from Dark Reading’s summary, consider how CSPi can help. We too recognize what a critical value reduced risk and compliance are to your organization’s bottom line.
CSPi cybersecurity solutions represent a different approach to threat detection and prevention, stemming from the company’s deep expertise in hardened, failsafe technology solutions for network surveillance and intelligence initiatives for the U.S. Department of Defense and other Western intelligence agencies.
To improve their overall security posture and accelerate incident response times, organizations must have a way to identify, stop, and quickly mitigate potential threats. But even more importantly, they need the capability to rapidly identify the threats that matter the most, such as those targeting high-value business assets and applications. This is a critical advantage, enabling them to take rapid, precise actions against a potential breach to reduce the cost of cyber attacks. Doing so requires enhanced network security capabilities, such as complete visibility into network traffic across the entire enterprise. Success also depends on the ability to capture and direct better intelligence on suspicious conversations to feed existing security tools, like firewalls or SIEMs, to detect and disrupt such threats.
To meet increasingly stringent data privacy compliance requirements organizations must be able to prove not only the exact impact of the breach (if any) but also the steps taken to protect assets, along with the timeframe when all of this transpired. To achieve all of these goals, organizations need to show that they captured all network traffic and demonstrate that it was stored for additional forensics and auditing. In addition, if organizations can improve their data protection and application security through encryption techniques and secure key management, their critical assets are protected no matter where they reside, if they’re in motion, or where they are used. Not only does this provide irrefutable proof for compliance purposes, but also makes breaches irrelevant.
CSPi’s cybersecurity solutions provide these capabilities, helping to provide full insight into an organization’s enterprise (including east-west traffic), separate real threat alerts from false positives and enable security professionals to conduct faster, more effective incident response to validate potential threats.
To learn more, visit www.cspi.com.
CSPi is a leading cybersecurity firm that has been solving security challenges since 1968. Our security solutions take a radically different approach to enterprise-wide data security by focusing on the data at its source, securing DevOps applications and leveraging network traffic for actionable insights. CSPI’s ARIA SDS platform uses a simple automated approach to protect any organization’s critical data, including PII/PHI, on-premise and in public clouds, no matter if is in use, in transit, or at rest. Our Myricom® nVoy Series appliances provide compliance assurance, automated breach verification and network monitoring enabled by the 10G dropless packet capture capabilities of our Myricom® ARC intelligent adapters.
1-Dark Reading, “2019 Security Spending Outlook,” Ericka Chickowski, February 12, 2019.
2-Gartner, “2019 Worldwide Security Spending Projection.”
3-Spiceworks, “The 2019 State of IT: The Annual Report on IT Budgets and Tech Trends,” 2019.
4-Altimeter, “The State of Digital Transformation,” 2019.
5-Forrester, “Security Budgets 2019: The Year of Services Arrives,” December 17, 2018.