March 17, 2023 By Jonathan Reed 4 min read

If IT spending is slowing, will business leaders follow a similar approach for cybersecurity budgets? Probably not. Gartner predicts that end-user spending on both security technology and services will see an annual growth rate of 11% over the next four years. And the market is anticipated to reach $267.3 billion in 2026.

Many security professionals agree that security spending cuts aren’t likely. Given the current threat landscape, strong security has quickly become a business imperative. Security has become the highest priority investment area for many organizations — even outranking cloud computing.

IT budget crunch

For years, cloud services have been one of the largest and most stable sources of growth for the tech industry. This was notable during the pandemic as more people connected from home. Now, investors are concerned about whether there is a glut in capacity that will lead to spending cuts. While companies deal with rising inflation, interest rate increases have also tightened consumer demand. For example, growth in Amazon Web Services (AWS), the firm’s massive cloud unit serving enterprise, has drifted down consistently in the past four quarters.

“The AWS slowdown is a clear sign that businesses are beginning to trim costs, so this will likely put more of a squeeze on Amazon’s bottom line in the coming quarters,” said Andrew Lipsman, principal analyst at Insider Intelligence.

Meanwhile, cybersecurity spending is extremely durable. Security is commonly shielded from budget cuts because of how closely it is tied to operational and reputational risk.

Security strategy is core business strategy

As cyber incidents increase in number and complexity, organizations have no choice but to defend themselves. In fact, many companies have gone bankrupt in the wake of a cyberattack. Yes, larger firms might be able to absorb the cost of an attack. But given the average cost of a data breach has reached $4.35 million according to the IBM Cost of a Data Breach report, many companies prefer to invest in strong security and to keep it strong. This comes as no surprise, as 83% of companies in the IBM survey reported suffering more than one breach.

Cybersecurity Ventures also reports on the rising tide of cyberattacks. They expect global cyber crime costs to grow by 15% per year over the next five years, reaching $10.5 trillion annually by 2025, up from $3 trillion in 2015.

Another way to look at the security issue is through the lens of security as a business opportunity. As per McKinsey, the gap today between the $150 billion vended security market and the potential market is huge. At approximately 10% penetration of security solutions today, the total opportunity amounts to a staggering $1.5 to $2 trillion addressable market. That is, adequate security coverage appears to be lagging by a factor of 10.

If this is truly the case, it’s no wonder that security spending does not appear to be threatened by new IT budget cuts.

The cyber insurance factor

Another factor influencing security spending is the shifting cyber insurance environment. In August 2022, Lloyd’s, the world’s largest insurance marketplace, asked all cyber insurers selling through its platform to rewrite their policies. Lloyd’s now requires that standalone cyberattack policies must include a suitable clause excluding liability for losses arising from any state-backed cyberattack.

This shift is largely due to the war in Ukraine and related court decisions that have favored plaintiffs. In December 2021, a New Jersey court ruled that a Chubb insurance unit can’t deny coverage for Merck & Co.’s $1.4 billion losses from NotPetya. The court held that Chubb’s war exclusion only bars physical warfare, not cyberattacks.

Meanwhile, cyberattack insurance is in heavy demand. The top 20 US insurers took in over $3.9 billion in cybersecurity direct premiums in 2021. And standalone cyber premiums jumped 95% in 2021. As the level of cyber coverage appears to be narrowing, it makes adequate security measures all the more important.

Security is the highest priority

Bob Stevens, VP of the public sector at GitLab, said, “If it isn’t already, I foresee security becoming one of the top investment areas for companies and government agencies in the coming year.” In fact, cybersecurity is now one of the top spending considerations for government and private sector leaders, according to GitLab’s 2022 Global DevSecOps Survey.

The study found security is the top-priority investment area for organizations. Among government respondents, 60% currently implement security capabilities for cloud-native or serverless or plan to in the coming year. “With that goal in mind, companies and government agencies will have to increase attention and budget for cybersecurity,” said Stevens.

What security solutions do companies prioritize?

Every organization anticipates that their attack surfaces will continue growing — maybe even faster than expected. Both legitimate and malicious attempts to access networks will continue to increase. This is one of the main reasons why security spending focuses on solutions such as secure access service edge (SASE) and zero trust.

SASE is a compelling response to the new perimeter-less world. In essence, SASE is a cloud-native security solution that provides seamless and secure access to any application from any location or device. SASE converges security with wide area network (WAN) infrastructure. Gartner predicts that global spending on SASE will grow at a 36% CAGR going into 2025, far outpacing global spending on information security and risk management.

SASE can also serve as a foundation for zero trust security strategies. Zero trust helps organizations increase their cyber resiliency and manage the risks of a disconnected business environment while still allowing users access to IT resources. Zero trust uses context to securely connect the right users to the right data at the right time under the right conditions. In many ways, zero trust is an umbrella term that includes other solutions, such as threat detection, identity access management and endpoint data protection.

Keep your guard up

Despite the economic headwinds, it appears that companies aren’t skimping on their security spending. And perhaps one of the key places where they don’t want to make cuts is in security team members. As good talent is hard to find these days, companies should hang onto their current security professionals and — given the rising risk — even consider expanding their team.

The danger is real. Cyberattacks are increasing in intensity, frequency and sophistication. The right tools and the right people are required to meet the challenge.

More from Security Services

How a new wave of deepfake-driven cybercrime targets businesses

5 min read - As deepfake attacks on businesses dominate news headlines, detection experts are gathering valuable insights into how these attacks came into being and the vulnerabilities they exploit.Between 2023 and 2024, frequent phishing and social engineering campaigns led to account hijacking and theft of assets and data, identity theft, and reputational damage to businesses across industries.Call centers of major banks and financial institutions are now overwhelmed by an onslaught of deepfake calls using voice cloning technology in efforts to break into customer…

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today