A new survey of 550 chief information security officers (CISOs) found that cybersecurity budgets in the 2022-2023 cycle on average increased only 6%, after double-digit increases (16% and 17%) in the two prior budget periods.
At 37% of companies, CISOs reported flat or declining cybersecurity budgets, according to IANS Research, a cybersecurity consulting firm.
“In the latter part of Q4 2022 and throughout 2023, many CISOs reported difficulty getting the resources they needed, with some indicating outright budget freezes,” said Nick Kakolowski, senior research director of IANS.
Macroeconomic conditions were the main factor contributing to the conservative budget increases in 2023, Kakolowski told CFO. However, “developments like the SEC breach disclosure rules indicate a growing awareness of the links between cyber risk and financial risk … so security will probably continue to be somewhat sheltered from extreme changes due to market conditions,” he said.
Gains in Share
The good news for CISOs battling growing system intrusion attempts is that cybersecurity budget as a share of total IT budget — a key metric for external benchmarking — grew in 2022-2023. Security’s portion rose to 11.4% of total IT planned spend, up from 9.9% in the 2021-2022 cycle.
Matt Comyns, co-founder and president, Artico Search, an executive recruitment firm that co-conducted the survey, said IT budgets are being cut at a faster rate than cybersecurity budgets. “Furthermore, security is becoming more expensive and complex, while IT is becoming increasingly commoditized.”
A little more than 6 in 10 CISOs received a budget increase in the 2022-2023 cycle, but the reasons and the size of the increases varied. (See chart.)
“Each year, we see respondents who increase their budgets and staff sizes by more than 100%. Major changes in risk appetites can fuel huge budget corrections.”
Senior research director, IANS Research
One-fifth of the CISOs said their increase was a “routine annual adjustment,” and 15% said the cybersecurity budget increase was part of a digital transformation project. Those two groups of CISOs saw their budgets rise 7% and 19% on average, respectively.
“In many cases, strategic priority projects, such as long-term digitalization projects, were excluded from budget freezes,” said Steve Martano, a partner in the cybersecurity practice at Artico. “These are often initiatives approved by the board and presently being executed and driven by company leadership.”
The other most significant increases in budgets corresponded to “a change in risk appetite” (resulting in a 22% higher budget) and “major industry disruption, such as highly publicized data breaches” (27%). Companies suffering an attack or breach (only 2% of the surveyed executives) raised their budgets 18% on average.
As in the survey’s three prior editions, staffing and staff compensation continued to be the largest portion of most cybersecurity budgets — 38% on average. Companies fully in the cloud tended to have a larger allocation for staff. Martano cited the cloud as a “massive change” for security teams now needing to hire “cloud architects, cloud engineers, and cloud compliance professionals at a fast clip.”
So far, it doesn’t sound like artificial intelligence and automation will obviate or lower the need for human cybersecurity experts. Though, on the other side of the same coin, there is rising evidence that AI usage can actually increase vulnerabilities.
“The use of AI, automation, and similar tools that let staff work faster and smarter can reduce expenses, but those cost savings can’t entirely compensate for the increased scope of operations facing security teams,” Kakolowski told CFO. “Third-party risk management alone has created an exponential increase in security complexity that requires extensive resources, both in terms of labor and tooling.”
The IANS-Artico survey was conducted from April to August 2023.