March 17, 2023 By Jonathan Reed 4 min read

If IT spending is slowing, will business leaders follow a similar approach for cybersecurity budgets? Probably not. Gartner predicts that end-user spending on both security technology and services will see an annual growth rate of 11% over the next four years. And the market is anticipated to reach $267.3 billion in 2026.

Many security professionals agree that security spending cuts aren’t likely. Given the current threat landscape, strong security has quickly become a business imperative. Security has become the highest priority investment area for many organizations — even outranking cloud computing.

IT budget crunch

For years, cloud services have been one of the largest and most stable sources of growth for the tech industry. This was notable during the pandemic as more people connected from home. Now, investors are concerned about whether there is a glut in capacity that will lead to spending cuts. While companies deal with rising inflation, interest rate increases have also tightened consumer demand. For example, growth in Amazon Web Services (AWS), the firm’s massive cloud unit serving enterprise, has drifted down consistently in the past four quarters.

“The AWS slowdown is a clear sign that businesses are beginning to trim costs, so this will likely put more of a squeeze on Amazon’s bottom line in the coming quarters,” said Andrew Lipsman, principal analyst at Insider Intelligence.

Meanwhile, cybersecurity spending is extremely durable. Security is commonly shielded from budget cuts because of how closely it is tied to operational and reputational risk.

Security strategy is core business strategy

As cyber incidents increase in number and complexity, organizations have no choice but to defend themselves. In fact, many companies have gone bankrupt in the wake of a cyberattack. Yes, larger firms might be able to absorb the cost of an attack. But given the average cost of a data breach has reached $4.35 million according to the IBM Cost of a Data Breach report, many companies prefer to invest in strong security and to keep it strong. This comes as no surprise, as 83% of companies in the IBM survey reported suffering more than one breach.

Cybersecurity Ventures also reports on the rising tide of cyberattacks. They expect global cyber crime costs to grow by 15% per year over the next five years, reaching $10.5 trillion annually by 2025, up from $3 trillion in 2015.

Another way to look at the security issue is through the lens of security as a business opportunity. As per McKinsey, the gap today between the $150 billion vended security market and the potential market is huge. At approximately 10% penetration of security solutions today, the total opportunity amounts to a staggering $1.5 to $2 trillion addressable market. That is, adequate security coverage appears to be lagging by a factor of 10.

If this is truly the case, it’s no wonder that security spending does not appear to be threatened by new IT budget cuts.

The cyber insurance factor

Another factor influencing security spending is the shifting cyber insurance environment. In August 2022, Lloyd’s, the world’s largest insurance marketplace, asked all cyber insurers selling through its platform to rewrite their policies. Lloyd’s now requires that standalone cyberattack policies must include a suitable clause excluding liability for losses arising from any state-backed cyberattack.

This shift is largely due to the war in Ukraine and related court decisions that have favored plaintiffs. In December 2021, a New Jersey court ruled that a Chubb insurance unit can’t deny coverage for Merck & Co.’s $1.4 billion losses from NotPetya. The court held that Chubb’s war exclusion only bars physical warfare, not cyberattacks.

Meanwhile, cyberattack insurance is in heavy demand. The top 20 US insurers took in over $3.9 billion in cybersecurity direct premiums in 2021. And standalone cyber premiums jumped 95% in 2021. As the level of cyber coverage appears to be narrowing, it makes adequate security measures all the more important.

Security is the highest priority

Bob Stevens, VP of the public sector at GitLab, said, “If it isn’t already, I foresee security becoming one of the top investment areas for companies and government agencies in the coming year.” In fact, cybersecurity is now one of the top spending considerations for government and private sector leaders, according to GitLab’s 2022 Global DevSecOps Survey.

The study found security is the top-priority investment area for organizations. Among government respondents, 60% currently implement security capabilities for cloud-native or serverless or plan to in the coming year. “With that goal in mind, companies and government agencies will have to increase attention and budget for cybersecurity,” said Stevens.

What security solutions do companies prioritize?

Every organization anticipates that their attack surfaces will continue growing — maybe even faster than expected. Both legitimate and malicious attempts to access networks will continue to increase. This is one of the main reasons why security spending focuses on solutions such as secure access service edge (SASE) and zero trust.

SASE is a compelling response to the new perimeter-less world. In essence, SASE is a cloud-native security solution that provides seamless and secure access to any application from any location or device. SASE converges security with wide area network (WAN) infrastructure. Gartner predicts that global spending on SASE will grow at a 36% CAGR going into 2025, far outpacing global spending on information security and risk management.

SASE can also serve as a foundation for zero trust security strategies. Zero trust helps organizations increase their cyber resiliency and manage the risks of a disconnected business environment while still allowing users access to IT resources. Zero trust uses context to securely connect the right users to the right data at the right time under the right conditions. In many ways, zero trust is an umbrella term that includes other solutions, such as threat detection, identity access management and endpoint data protection.

Keep your guard up

Despite the economic headwinds, it appears that companies aren’t skimping on their security spending. And perhaps one of the key places where they don’t want to make cuts is in security team members. As good talent is hard to find these days, companies should hang onto their current security professionals and — given the rising risk — even consider expanding their team.

The danger is real. Cyberattacks are increasing in intensity, frequency and sophistication. The right tools and the right people are required to meet the challenge.

More from Security Services

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

39% of MSPs report major setbacks when adapting to advanced security technologies

4 min read - SOPHOS, a leading global provider of managed security solutions, has recently released its annual MSP Perspectives report for 2024. This most recent report provides insights from 350 different managed service providers (MSPs) across the United States, United Kingdom, Germany and Australia on modern cybersecurity tools solutions. It also documents newly discovered risks and challenges in the industry.Among the many findings of this most recent report, one of the most concerning trends is the difficulties MSPs face when adapting their service…

A decade of global cyberattacks, and where they left us

5 min read - The cyberattack landscape has seen monumental shifts and enormous growth in the past decade or so.I spoke to Michelle Alvarez, X-Force Strategic Threat Analysis Manager at IBM, who told me that the most visible change in cybersecurity can be summed up in one word: scale. A decade ago, “'mega-breaches' were relatively rare, but now feel like an everyday occurrence.”A summary of the past decade in global cyberattacksThe cybersecurity landscape has been impacted by major world events, especially in recent years.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today