CISO spending insight: Cyber security spending trends 2022

CSO’s 2021 Security Priorities Study found that 44 per cent of security leaders expect their budgets to increase in the upcoming 12 months; that’s a slight bump-up from the 41 per cent who saw their budgets increase in 2021 over 2020.

Fifty-four percent of respondents said they expect their budgets to remain the same over the next 12 months, and only 2 per cent said they’re expecting a decrease – a much smaller figure than the 6 per cent who saw their spending drop from 2020 to 2021.

Similarity between trends

According to PwC’s 2022 Global Digital Trust Insights report, “investments continue to pour into cyber security” with 69 per cent of responding organisations predicting a rise in their cyber spending for 2022. Some even expect a surge in spending, with 26 per cent saying they anticipate a 10 per cent or higher spike in cyber spending for the upcoming year.

Meanwhile, tech research and advisory firm Gartner estimated that spending on information security and risk management will total $172 billion in 2022, up from $155 billion in 2021 and $137 billion the year before.

Despite the steady state of funding, CISOs aren’t going to be flush with cash. Security leaders and executive advisors say security departments must continue to show that they are delivering value for the dollars spent, maturing their operations, and, ultimately, improving their organisation’s security posture.

According to Joe Nocera, leader of PwC’s Cyber & Privacy Innovation Institute, organisations know that risks are increasing every day, and as such, investments continue to pour into cyber security.

“We’re hearing from business leaders that they’d be willing to spend anything to not end up on the front page of a newspaper for a hack, but they don’t want to spend a penny more than is necessary and they want to make sure they’re spending their money in the right areas.

VIEW ALL

"That’s going to require the CEO and CISOs to work together. CISOs need to know what the right level of protection is.

“Cyber investments are becoming less about having the latest products from tech vendors and more about first understanding where the business is most vulnerable, then prioritising investments by how likely an attack will occur and how substantial that loss could be to the business," Nocera said.

Security budgets in focus

Cyber security budgets for 2022 reflect the ever-increasing interest from the rest of the executive team and the board in the enterprise cyber security program, according to Sam Rehman, CISO for EPAM Systems.

The PwC report findings have shown organisations know that risks are increasing with more than 50 per cent expecting a surge in reportable incidents next year above 2021 levels.

Additionally, Rehman explained that the volume of attacks is only one of the factors that have many organisations boosting security spend, with executives also seeing the significant impact breaches have, which now includes the ease of monetising attacks in the age of anonymous cryptocurrency, keeping attackers well motivated.

“Those three things have upped the game,” Rehman added.

In response, corporate leaders now want to know that they’re adequately defending their organisations and that they can adequately respond to an attack; they want both protection and resiliency.

With leadership teams coming to understand that there’s no such thing as 100 per cent defended, but that a strong defence can buy time – time to detect, respond and recover before significant (or even any) damage is done.

In Nocera's view, the majority of organisations will significantly boost their spending budgets in order to protect themselves and their customers against cyber attacks.

At the same time, security leaders have revealed feeling pressure from external entities, in addition to their C-suite colleagues and board members, to deliver results the latest trends research has found. Security leaders are hearing from customers, business partners and regulators that security is top of mind for them, too.

Kyle H. Lai, who as president of KLC Consulting, serves as a virtual CISO for three mid-size companies, points to President Biden’s May 2021 executive order to beef up the nation’s cyber security as one factor influencing security budgets. Lai also references the growing list of country- and state-issued consumer data privacy acts and other legislative actions as factors influencing how much money CISOs need and where they’ll spend it.

“These [regulatory and legislative actions] are important to a lot of companies because they’re going to have to meet these requirements, especially the companies working with the federal government or the Department of Defence,” Lai said.

Survey findings back up observations

According to CSO’s Security Priorities Study, 49 per cent of respondents cited best practices as a determining factor on their security spending and 49 per cent also cited compliance, regulations or mandates as a determining factor – earning those two categories a tie for the top spot on the list.

Those were followed by the need to address the evolving risks posed by changing workforce or business dynamics – notably hybrid and remote work (41 per cent); addressing risks that result from digital transformation such as the move to the cloud (38 per cent); responding to a security incident that happened in their own organisation (35 per cent); and responding to a security incident that happened in another organisation (25 per cent).

Spending priorities

CSO’s survey showed that spending is spread over a number of areas, with 20 per cent allocated to on-premises infrastructure and hardware, 19 per cent to skilled staff and 16 per cent to on-premises tools and software – all of which provide the foundation for delivering security services to the enterprise.

Those priorities are followed by cloud-based security solutions (10 per cent), consulting services (7 per cent), cloud-based security monitory services (7 per cent), security awareness training (7 per cent), contracted evaluation services (6 per cent) and external incident response services (5 per cent).

Gartner’s latest forecast for information security and risk management spending further detailed where the cash is going: nearly $77 billion will go to security services in 2022, making it by far the biggest of the spending categories; $30 billion will go to infrastructure protection; $19 billion to network security equipment; and $17 billion to identity and access management.

Other areas getting big budgets include application security ($6.6 billion), integrated risk management ($6.4 billion), data security ($4 billion), software ($2.7 billion) and cloud security ($1.4 billion).

CISO spending can be grouped into four big areas, according to Shawn Eftink, senior director analyst for emerging technologies and trends at Gartner.

The first supports location-independent security, which creates a cyber security program that considers identity as the de facto perimeter that needs to be protected.

The second supports the evolution of the security organisation. Eftink further explains that security departments are facing intensifying scrutiny as boards get more directors with cyber security experience; those board members want to see both increased efficiencies and demonstrable maturing of the security function, with decreased security product complexity being key to delivering on those expectations.

The third bucket features evolving technologies; organisations are spending more on emerging and maturing security technologies, such as breach and attack simulation tools, as well as the technologies needed to secure their growing cloud environments.

Lastly, outsourcing spending that helps bring efficiencies to their security operations as well as cope with internal staffing challenges.

Other security leaders have similar observations. CISOs are investing in access and identity management software, authentication technologies such as role-based access control (RBAC), user behaviour analytics and micro segmentation to support their maturing zero-trust architecture. CISOs are spending on cloud security solutions. Buying automation and analytics to deal with the vast scale of security data more effectively and efficiently. And they’re engaging managed security services providers (MSSPs) to augment their own staff’s efforts.

“Identity and access management, third-party risk management, real-time intelligence and zero trust are all big areas of security investment,” Nocera said.

Smart spending

CEOs, in PwC’s 24th Annual Global CEO survey, cited cyber threats as the number two risk to business prospects, second only to pandemics and other health crises. CEOs in North America and Western Europe put cyber as number one.

At the same time, experts have found CEOs aren’t willing to write blank checks to their CISOs. The security chiefs’ own budgets for 2022 are a reflection of that hesitancy.

Eftink explains that there is a good reason behind the “unwillingness” to spend.

“Spending doesn’t necessarily equate to security,” Eftink said.

CISOs can expect that they’ll have to continue driving efficiencies and become more effective with either the same or minimally increasing budgets, according to Eftink. To do that, CISOs are going to have to continue to shift security left, to embed it from the start into the operational processes and digital products that power the business and to weave security into the very fabric of their organisations.

“The majority of what has to happen is a transition of thinking: Security has to be an embedded piece, it can’t be an afterthought. A paradigm shift has to happen,” Eftink said.

As companies allocate money to address these problems, Nocera added that building systems integrated across the company and making cyber security everybody’s business, not just the CISO or IT team, is key.

“Ultimately, strong company-wide cyber security operations can build trust within companies, stakeholders and consumers, becoming a competitive differentiator," Nocera said.

"The costs companies are fronting today to strengthen their systems should be thought of as investments in their future business models.”

[Related: Grim Finance latest DeFi exploit after $30m hack]