The last quarter of the year can bring commotion to organizations when planning for next year’s strategies and budgets. Cybersecurity allocation is one of the topics that should get attention from decision makers - but are investments into organization security sufficient and prioritized adequately? This article will overview how much focus and funds cybersecurity should take for 2023 planning.
Overview: the security spending landscape
‘IT budget’ is an umbrella term that includes cybersecurity spending, IT investments, enablement of digital transformation, and integration of risk management. All company-centered IT assets and projects - ideally interconnect - provide successful business continuity.
The focal point of the modern cybersecurity strategy
Taking a long-term approach to cybersecurity strategies hardly applies to modern businesses anymore. Nowadays, strength lies in the ability to adapt to changes quickly instead of steadily climbing to a projected objective. The ‘new normal’ is outdated, as companies now expect the ‘next normal’ to change the current one.
To be agile as a company and have an agile strategy for information security is a winning trait of a successful business. In two years, the world witnessed a pandemic, unstable geopolitics, and economic inflation in light of the energy crisis. Tremors in stability are felt globally and are reflected in industries and the conditions they operate in.
Therefore, companies cannot allow themselves to project epic security strategies that eventually need to be adjusted mid-way through implementation and give results in the far future. In other words, a modern cybersecurity strategy must be lean and effective. It has to prove time-to-value for the company’s advantage and convince decision-makers during the implementation process.
What factors influence security investments?
The main drivers for the IT (including cybersecurity) budget depend on the global, industry, and company climate.
Global factors set dynamics that can create common challenges businesses need to find solutions for. Major common issues like the IT talent shortage increases competition between organizations. However, challenges like remote work enablement can accelerate technological developments.
Internal factors influencing cybersecurity spending can be impacted or remain entirely unrelated to external issues. Investments can depend on existing company infrastructure or business revenue.
Driving factors of 2023 IT budget projections
In 2023, the driving factors that will lead to an increase in IT budgets are affected by global and internal business factors.
According to 1,400 IT professionals that participated in Statista’s survey, much more attention will be paid to inflation — 40% of organizations see it as a driving factor to increase their IT budget. For comparison, in 2019 and 2020, this factor didn’t even exist in the scope of IT budgets, and in 2021, only 22% of respondents mentioned it as a driving factor.
Remote work enablement is a top factor in budgeting criteria for 35% of organizations in 2023 (slightly less than in 2022 at 37%). More than a third of companies planning to invest in remote work solutions are also looking to hybrid work arrangements. This shows that a lot has already been done in previous years when significant migration to home offices was mandatory.
Security concerns and changes to compliance standards are not as influential as in the record year of 2019 (56% and 37%, respectively), yet remain among the main driving factors that dictate spending. These two categories are linked as compliance standards and requirements constantly change and evolve to address increasing security threats and concerns.
For other internal driving factors at organizations, digital transformation for upgrading outdated infrastructure (51%) and priority IT projects (45%) need continuous financial injections to sustain initiatives in progress. Attention to growing employee numbers continues to remain high — in 2020, 47% of organizations saw user provisioning as one of the spending priorities.
Modernizing company infrastructure isn’t the only driving factor for increased security spending. The rising complexity and quantity of cyber threats evolved working environments and lack of knowledge resources demand investments in effective and optimized cybersecurity solutions.
When spending objectives don’t align
Responsibility for the IT budget typically falls under the CISO, CTO, or CIO. They need to identify the priorities and objectives for the upcoming year and prove that the prepared IT budget plan is to the company’s benefit.
However, it’s a difficult task, with objections coming from different priorities in the business strategy. Gartner surveyed a pool of 2000 CIOs, asking them to rank their primary objectives agreed on with management.
The most common objectives were improving operational excellence (53%) and enhancing customer experience (45%). Growing revenue (27%) and cost efficiency (22%) are less common primary objectives, yet they still come before digital improvements.
Therefore, the responsible roles must find a way to handle objections when presenting an IT budget strategy. No one else can better know the security pain points the organization is dealing with, therefore, information security professionals must communicate these issues correctly to help management and decision-makers realize the significance of security, among other objectives.
The expense gap — how much do security budgets come short?
Allocating funds to the IT budget and cybersecurity should be primarily present in a company strategy. Whether perceived as a high priority or an inconvenient necessity that cannot be overlooked, organizations tend to come short of addressing the actual cybersecurity coverage.
The Security Priorities Study 2022 revealed that security isn’t prioritized sufficiently to address cybersecurity risk in 90% of organizations. The problem generally comes from decision-makers not adequately understanding the severity of the threats or insufficient financing to mitigate the risks. This attitude towards cybersecurity in over half of the organizations surveyed demonstrates the scale of unpreparedness and vulnerability.
What budget should a company dedicate to cybersecurity?
It would be easy if there was a universal number dictating how much companies should allocate to cybersecurity, but it highly depends. It highly depends on various factors. Understanding what must be considered before making a decision makes it easier to reach a figure.
Since 2018, companies have tended to allocate an average of 12% percent of their IT budget to information security. In 2021, the share reached 12.8%; in 2022, the cybersecurity spending was covered by 12.7% of the IT budget.
Budgeting focus points & recommendations
Here are the factors that your organization should consider when planning its upcoming IT budget.
Business size
Size indicates the scale that needs to be taken into account. The bigger the company, the more employees, clients, data, processes, and applications it has to handle. The scope converts into investments required to manage and secure the information assets in the company’s possession.
Large companies usually allocate more resources to mitigate the risks as their footprint is significantly broader. However, SMBs should not assume they are safe because they are smaller. Those that suffer security incidents are more likely to go out of business, as the damage is too severe.
Business growth
Scaling must go hand in hand with cybersecurity investments. Fast growth means increasing amounts of data that need to be contained securely.
How do you store personal customer data, or how quickly can you onboard and integrate employees into the company network? Are you expanding to other continents or plan to introduce global hiring? Growth is good, but security spending must ensure it covers all challenges that come with it.
State of current infrastructure
Do you need to perform digital transformations for legacy infrastructure? Or perhaps you’re a startup whose security infrastructure is a work in progress?
Security spending will depend on whether there’s a need few upgrades or a complete rebuild. Migration to cloud environments or on-premise infrastructure hosting requires different resources and investments over time, which must be considered when planning the budget.
Business performance
Review the company’s experiences, challenges, and trends in the past year. Assessing what urgent and long-term improvements your business needs will help to identify security pain points and what must be prioritized to ensure business continuity.
What previous decisions and chosen security strategies proved effective, and what parts should be adjusted? Moreover, aligning with overall business goals and objectives is essential when creating the IT budget.
Business landscape
Identify what risks the business is exposed to by auditing the data your company works with. What is your industry, and what cyber threats are common? Do compliance requirements regulate the sector?
Besides external threats, companies often lack security policies to cover their vulnerabilities. Review and assess policies regarding hybrid work, endpoint security, and identity verification.
Projections for 2023
According to Gartner forecasts, IT spending will likely reach $4.6 trillion globally in 2023. It’s a 5.1% increase compared to last year’s IT spending. However, this will not make for the global inflation rate, which is projected to reach 6.5%.
Despite inflation, just 6% of organizations plan to reduce their IT budgets, contrary to 51% of businesses that plan to increase their spending. According to the 2023 State of IT survey, IT budgets will increase in 40% of organizations due to financial fluctuations — an 18% increase compared to 2022.
In 2023, the top categories of increased investment include cyber and information security (66%), BI or data analytics (55%), and cloud platforms (50%).
What does this mean for CISOs? IT spending remains a priority, although influenced by the economic landscape. Ongoing IT initiatives can be sustained with a focus on optimization and innovation instead of growth, whether it’s a project in progress or pending strategies waiting in line.
Industry estimates
Although consumers will reduce their spending on technology by 0.6% next year, inflation won’t set a hard stop for enterprise IT investments. Instead, it will elevate cybersecurity spending - Investments in Software Solutions suggest an 11.3% growth for IT Services.
Security spending, including productivity software, will reach an average of 11% of the allocated company’s IT budget in 2023.
Annual European IT security spending will sustain its growth rate to 9.4%. In 2022 it will almost reach a total of $47 billion in spending, and following projections will surpass $66 billion in 2026. Security services, followed by software and hardware, will take up a significant part of IT budgets as the skilled IT professionals’ pool won’t grow quickly enough to cover the needed talent gap.
In 2022, the banking industry set the trend as Europe's most IT security-focused sector. It will continue to mature its cyber resiliency with intense funding after investing €6 billion. A focus on IT spending in Europe highlights the security gaps in company IT defenses, cloud, and endpoint security solutions.
Increasing security for governments
The government sector in Europe has the fastest-growing cybersecurity spending (11.9%) and should maintain its pace for the following year. This tendency to increase cybersecurity spending follows the transportation sector (securing the supply chain) and the wholesale industry (robust cloud, remote devices, and contactless payment systems’ protection).
Proposed cybersecurity spending for U.S. government agencies in 2023 shows an increase in allocated budgets compared to the previous year. The $2.6 billion cybersecurity budget requested by the Department of Homeland Security for the upcoming fiscal year distributes increasing security budgets for 22 federal agencies out of 24.
Security budget of SMBs
The pandemic triggered an increase in cybersecurity spending by small and medium businesses. In 2022, SMBs’ total spending on IT worldwide increased by 5.8%, and it’s predicted spending will reach 7.4% by 2025. Starting with $16 billion spent on managed security services in 2020, it is believed spending will grow 14% yearly and reach one-third of SMBs’ cybersecurity spending — a $90 billion budget in 2025 globally.
Projected worldwide SMB cybersecurity investments for 2025 projects focus on network security ($22.1 billion), mobile security ($8.8 billion), and web/email security ($8.3 billion). Investments in endpoint security ($6.2 billion) and data security ($4.1 billion) are not as significant as investments in network, mobile security, and managed security services for overall risk management.
Despite the increased security spending, SMBs still have a huge gap in their cybersecurity practices. Nearly half (44%) of small-medium enterprises do not have a developed cybersecurity incident response plan, and only 12% of organizations fully manage identity access. 13% of SMBs have implemented no basic IT security measures.
Interestingly, according to Foundry research, the budgets of small businesses grew three times from 2020. Still, unlike large enterprises, small companies intend to cut down on security spending for the upcoming year.
An alternative to security — the cost of a breach
Reluctant investments in cybersecurity result in profits for cybercrime. Companies that believe they have nothing of value for cybercriminals or are too small to attract a cyber attack hold back on prioritizing security strategy implementation.
However, companies tend to lose a few times more than they would have spent building security foundations in case of a security incident.
The estimated total for information security and risk management spend will grow to reach $172 billion in 2022. Meanwhile, total cybercrime in the same year is expected to reach $6 trillion in damages. This means not investing now will eventually cost much more in the future.
How can NordLayer help with strategizing the 2023 security budget?
Despite the economic turmoil, the cybersecurity market holds its relevance. Businesses continue prioritizing spending on security as increasing alerts of cyber-attacks keep enterprises on their toes. To outpace cyber threats, cybersecurity budgeting best practices must remain on the front lines of any business strategy.
Make security budgeting less challenging by knowing what’s on your agenda when creating your strategy. We understand the importance of sufficient safety and thus have created a targeted decision-makers tool. The Decision Maker’s Kit provides recommendations and instruments to assess your cybersecurity needs, select the right solution, and confidently convince management.
NordLayer is an affordable and comprehensive network security option that enables businesses of all sizes to work in any environment and quickly secure their data. From user protection to secured information transactions, NordLayer is an agile and streamlined solution for scaling organizations — get in touch with our team to learn more.
