January 9, 2015 By Jaikumar Vijayan 3 min read

One thing information security managers will likely need to do less of in 2015 is justify spending on security controls to their chief information officer (CIO).

Last year’s high-profile attacks on companies such as Home Depot and JPMorgan Chase have made information security a top spending priority for CIOs for the second straight year.

In a survey conducted by investment bank Piper Jaffray, 75 percent of CIOs said they expected to increase spending on information security in 2015. That number is significantly higher than the 59 percent of CIOs who said the same thing in last year’s survey, and it reflects some of the nervousness caused by the slew of major data compromises last year.

“CIOs clearly have heightened concerns from the many security breaches that occurred in 2014, resulting in an inflection in overall security spending,” the report noted.

Nearly 90 percent of the CIOs surveyed said their top investment priority for this year is network security controls such as firewalls. Some 80 percent pointed to endpoint security as their biggest concern and said they will focus on investing in it in 2015. Some other prioritized areas CIOs expected to spend more money on this year are compliance, Web application security and security incident and event management tools. Close to 40 percent of the CIOs surveyed expected to leverage managed services for their security needs this year.

CIO concerns over cloud security appear to have been heightened by last year’s breaches, with 35 percent of respondents citing it as the primary reason for not migrating their applications to the cloud (compared to the 31 percent who said the same thing last year).

Benefits of Increased CIO Awareness

CIOs’ increased willingness to spend on information security is a good thing for enterprise security managers who are long-accustomed to fighting for their budgets. This is the second time in two years that CIOs have made security a top priority over investments in other areas, such as enterprise mobility, storage and server technologies.

However, it still may not be enough. While the heightened spending reflects growing concern over enterprise security threats, security budgets still comprise a relatively small percentage of overall IT budgets.

In its Global State of Information Security Survey 2015 last September, PricewaterhouseCoopers (PwC) noted that top enterprise executives had a similarly heightened concern over security. For instance, nearly half of all chief executive officers surveyed last year by PwC expressed concern about cyberthreats to their companies.

Security Spending

Despite this, security spending has not moved much in proportion to overall technology spending. The PwC survey showed that average security budgets have remained more or less stagnant at 4 percent of overall IT spending for the past five years.

In 2014, smaller companies, defined by PwC as firms with less than $100 million in revenue, actually reduced their security spending significantly compared to 2013, though medium and larger companies boosted theirs between 5 percent and 10 percent.

The PwC survey also showed that security investment increases were not uniform across all industries. In some sectors, such as health care, utilities and oil and gas, companies appeared to be willing to invest substantially more on security than companies in other industries. For instance, information security spending in the health care industry increased a huge 66 percent in 2014 amid skyrocketing financial losses from cyberincidents, the PwC survey found. At the same time, companies in the automotive, retail and aerospace and defense industries actually spent less last year on security than before.

One possible explanation for what is going on is that highly targeted security practices are helping some companies strategically optimize their information security spending.

More from

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

Security roundup: Top AI stories in 2024

3 min read - 2024 has been a banner year for artificial intelligence (AI). As enterprises ramp up adoption, however, malicious actors have been exploring new ways to compromise systems with intelligent attacks.With the AI landscape rapidly evolving, it's worth looking back before moving forward. Here are our top five AI security stories for 2024.Can you hear me now? Hackers hijack audio with AIAttackers can fake entire conversations using large language models (LLMs), voice cloning and speech-to-text software. This method is relatively easy to…

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today