Cyber security has long been a domain of innovation, but is it reaching a point of diminishing returns? According to Gartner, spending for the information security and risk management market was estimated to reach $150 billion by the end of 2021.1
However, how you allocate your budget for this increase in spend will determine whether you get the most from your money and are able to best protect your organisation.
New types of threats demand a proportionate response. With organisations struggling to accommodate cloud architectures and new work methods, the need to budget wisely to address potential vulnerabilities is taking on greater urgency.
According to Gartner’s data on industry metrics, the average company’s breakdown of a cyber security budget is:
- Operational infrastructure security (50%)
- Vulnerability management and security monitoring (20%)
- Governance, risk and compliance (16%)
- Application security (14%)2
This gives a valuable benchmark, but each organisation must carry out its own assessment of how its cyber security budget should be allocated — and there may be an advantage in moving spend around to address your new risk profile and to take into account up-and-coming threats.
We believe it is more important to consider some of the major trends emerging in cyber security and targeting those areas for investment rather than looking at blanket spending increases. Here we’re going to look at some trends in cyber security and their impact on budget planning.
Additional reading: If you want to read more about the future of cyber security, take a look at our eBook — Planning For The Future Of Cyber Security Today
How and why cyber spending is changing
The way organisations approach spending on cyber security is changing for a number of reasons, as we’ll come to shortly. But spending continues to vary between application and industry – on average, energy companies are investing less than 0.2% of revenue in cyber security, while the corporate banking industry comes in at 0.6%.3 4
Overall, global spending on security awareness training and phishing simulation programs is predicted to reach $10 billion by 2027 and, as the table below indicates, this level of increase is mirrored throughout cyber security applications.
|Information Security & Risk Management End User Spending by Segment, 2020-2021 (Millions of U.S. Dollars)|
|Market Segment||2020||2021||Growth (%)|
|Identity Access Management||12,036||13,917||15.6|
|Integrated Risk Management||4,859||5,473||12.6|
|Network Security Equipment||15,626||17,020||8.9|
|Other Information Security Software||2,306||2,527||9.6|
|Consumer Security Software||6,507||6,990||7.4|
|Source: Gartner (May 2021)|
Despite this, in a recent survey, 60% of respondents suggested that cyber security spending is still underfunded.5 With this in mind, let’s take a moment to briefly consider a couple of reasons why attitudes towards cyber spending have changed in recent times.
Increased focus on resilience
If cyber attacks increase, it’s natural that organisations who find themselves targeted will want to adapt their approach to cyber security to protect themselves. One study found that 28% of organisations that suffered cyber attacks in 2020 were targeted on more than five occasions throughout the year.6 The same study found that the average organisation surveyed now devotes more than a fifth (21%) of its IT budget to cyber security, a jump of 63%. This is a clear indication that as attacks increase, organisations are also increasing their spending on security.
The impact of reputational damage
While the direct cost of a data breach can have severe consequences for an organisation, the long-term implications that come with the reputational damage caused by a breach are also having an impact on cyber security spending. The average cost to an organisation’s stock market value is estimated at almost $4 million per breach, with regulators in the UK also increasing maximum fines to 4% of turnover.7 The result is a need for more proactive cyber security investment that minimises risks, rather than simply reacting to a breach after it has occurred.
Trends impacting cyber budgets
To help contextualise the major changes that are impacting cyber budgets, we now want to look at this from a trends perspective and illustrate how these major cyber trends are driving budget changes.
Trend 1: Supporting Remote Working
Remote working is not a new thing. But since 2015, it has increased by 140%, ten times more than all other work activities. This dramatic increase has been more pronounced of late, and it is clear we will not go back to everyone being in the office — huddled behind the firewall.
What’s behind this trend?
As a result of the COVID-19 pandemic, people are now working from home in large numbers. As people generate, access, and share more data remotely through cloud apps, the number of security blind spots increases.
Identifying critical attack areas and anticipating possible attack scenarios helps avoid such blind spots. It is essential to have a flexible and responsive security system that can cope with remote working demands.
What impact does it have on budgets?
With most organisations establishing remote working, a highly effective security system is not just an option but a must-have.
We see a trend away from basic endpoint security to a more complete Managed Detection and Response (MDR) approach. What is MDR? MDR is a managed cyber security service that provides intrusion detection of malware and malicious activity and assists in rapid incident response and remediation.
MDR has a positive impact on budgets as it combines a technology solution with outsourced security analysts to extend your capabilities to include:
- Proactive alert management, detection and response
- Comprehensive protection of infrastructure
- Bespoke, industry-specific configuration and management capabilities
Trend 2: Making Cloud and SaaS Secure
More and more organisations are migrating to the cloud. In doing so, they are also exposing their organisation to new security threats. Attacks like phishing, malware, and data breaches are on the increase. It is becoming much harder to maintain the flexibility and value of cloud services while keeping cybercriminals at bay.
What’s behind this trend?
Many cloud services lack the basics, such as secure encryption, authentication, and audit logging. Poor configuration of cloud security can also lead to criminals bypassing internal policies meant to protect sensitive information. To address this, security in the cloud is moving to predictive security. It can identify threats before attackers can start their attack. It can also pinpoint attacks that pass through other endpoint security.
What impact will this have on budgets?
More organisations will be implementing predictive security, with the market gaining a 261% ROI for over three years.8 Some sectors are also leveraging multi-factor authentication to reinforce security.
Budgets will have to be changed to reflect these new cloud applications and new security contexts — one good suggestion from Gartner is to ensure you include a security line in any new cloud service organisation case.
Trend 3: Automation and AI
Manual threat hunting is expensive and time-consuming, and there aren’t always people on hand to do it. AI systems are being trained on big data sets collected over decades — so they can analyse terabytes of data per day at a scale unimaginable previously.
What’s behind this trend?
The competition for talent in cyber security is fierce. It is almost impossible to hire people with the appropriate cyber security skills. Faced with this skills gap, CIOs and CISOs are beginning to augment their security with AI and ML (machine learning).
What impact will this have on budgets?
Machines are more cost-effective than individuals in handling regular tasks and coping with enormous volumes of data. As the demand for security experts rises, the people cost will also inevitably increase.
The perfect solution for CISOs is an AI system resembling a human expert’s investigative and reporting techniques, so cyber threats are identified and remediated before any damage is done.
However, it is worth noting that AI models are based on massive datasets, and some companies don’t have the resources to obtain them. Time and money are also required to invest in AI computing resources and should be factored into budgets.
Trend 4: New Threat Landscapes
The definition of the word hack emerged from MIT in 1955. The first known mention of computer or phone hacking arose in 1963. Over the past 50 years, attack surfaces have evolved from phone systems to the vastness of the internet.
Cyber threats have now expanded from targeting computers, networks, and phones to aiming at people, transport, utilities, government and financial systems.
What’s behind this trend?
When it’s commonly used, it’s widely abused. For example, email continues to be the most common attack vector, with almost 5% of organisations’ emails containing a malicious element.
What impact will it have on budgets?
As cyber threats become more aggressive, organisations will need to keep ahead by identifying new threats and strengthening their security measures. This is not just a technology issue. Cyber security awareness will be essential to prevent costly identity theft and data breaches.
While the increased emphasis placed on countering new threats will generate a rise in spending, security teams will inevitably have to do more with less. The way forward is to employ a targeted risk approach and lean heavily on security service providers’ expertise and experience.
Suggested reading: If you want to learn more about continually evolving cyber security threats and concerns, check out our blog — The Threat Landscape Never Sits Still: Four new risks organisations face in 2021
Six Degrees can help
According to Brian Reed, Senior Director Analyst at Gartner, “We can spend too much time over analysing choices we make about security, striving for a notion of perfect protection that just simply does not exist.”9
The value of an organisation’s cyber security posture today depends essentially on how well it guards its data, the strength of its security, and its level of resilience. To deliver this value, you now need to consider structural and architectural changes to how you approach your security budget. There will be a need to focus on competencies, not just tools, tactical knowledge, and cyber security skill sets.
Partnering with an experienced, credible cyber security provider will allow you to establish your risk appetite and get the best value from your cyber security approach.
Six Degrees provides a complete security solution including compliance, governance, testing and offensive and defensive managed security services. We enable clients to implement cost-effective and robust security measures across all levels.
Some of the areas we can have a direct budget impact on include:
- Independent cyber security advice
- Using consultancy to support improved cyber security decisions
- Providing cyber assessments to understand and communicate security priorities
- Having a more flexible response to adapt to evolving cyber threats
Security spending is, in the end, an exercise in risk management. Organisations need to ask themselves: are we addressing low risks at a higher cost than necessary, or are we addressing high risks at the lowest possible cost? Are we making the best use of our available budget?
We believe partnering with a managed service provider like Six Degrees is the most effective way to deliver the best approach to your cyber security budget and to deliver the best possible outcome to your organisation.
- Gartner Forecasts Worldwide Security and Risk Management Spending to Exceed $150 Billion in 2021
- Three benchmarks to inform cyber security spending plans for 2020
- Global Cybersecurity Spending Predicted To Exceed $1 Trillion From 2017-2021
- Reshaping the cybersecurity landscape
- Cybersecurity budgets explained: how much do companies spend on cybersecurity?
- The Hiscox Cyber Readiness Report 2021
- Cybersecurity spending must rise
- New Total Economic Impact Study Finds CB Predictive Security Cloud Delivers 261% Return on Investment (ROI)
- Gartner Top 10 Security Projects for 2020-2021