Cybersecurity spending saw a 65% drop in growth during the 2022-23 budget cycle, according to a new report from IANS Research and Artico Search. Widespread economic stressors also led to budget cuts or spending freezes for more than a third of the 550 CISOs surveyed, up from 21% compared with last year’s study.
The 2023 Security Budget Benchmark Summary Report published last week revealed that cybersecurity spending in the United States and Canada increased by just 6% on average in 2022-23, down nearly two-thirds from the 17% growth security budgets saw in 2021-22. Technology firms, which saw a 30% growth in security spending last cycle, saw the greatest decline with just a 5% increase on average this cycle.
Amid economic uncertainty, inflation pressures and looming fears of a future recession, 37% of survey respondents reported flat budgets or budget decreases during the 2022-23 cycle — 76% more than last year. Of the 63% who reported budget increases this year, 17% said the driving factor was increased risk, while 15% said it was due to a digital transformation at their organization. The heftiest budget increases came from major industry disruptions such as high-profile breaches, which resulted in a 27% spending hike on average.
While cybersecurity budget growth slowed significantly, it remained somewhat insulated from spending cuts when compared with overall IT budgets. This is evidenced by a continued gradual increase in the proportion of IT budgets dedicated to security over the last three years, from an average of 8.6% in 2020 to 11.6% in 2023. The report authors also noted that CISOs are prioritizing “people over tools,” with the largest chunk of security budgets — 38% — going toward staff and compensation expenses.
The results of the IANS and Artico study may not be surprising to many in the security space — experts who submitted their 2023 predictions to SC Media at the beginning of the year cited “economic uncertainty” as a major concern and recommended that CISOs carefully prioritize spending to protect their organizations and maximize ROI. Additionally, the CyberRisk Alliance’s 2023 Global State of Cybersecurity Study revealed economic instability to be among the top concerns of security professionals.
“The implications of the report are that organizations will not be able to spend their way to a secure organization. They will need to start looking at security as a service to help overcome technology and talent obstacles instead,” said Mark Stockley, a cybersecurity evangelist at Malwarebytes, commenting on the new research. “The gap between what's required and what the economic reality for most will allow is too great.”
The cybersecurity sector is less likely to be impacted by layoffs than other sectors during the current economic downturn, according to a report by Fortune earlier this year. However, organizations will need to prepare and consider new strategies to take on cyber threats in a challenging economic climate, Stockley noted.
“Small businesses with perhaps a handful of generalist IT staff are up against seasoned, professional ransomware gangs whose bread and butter is compromising networks undetected and disrupting the entire operation of the businesses they target,” said Stockley. “To achieve parity with their attackers, those organizations need access to skilled security staff monitoring their networks 24/7. Very few will be able to hire a full-time team to do that, so they will need to turn to service providers instead.”