Are cybersecurity budgets increasing or decreasing?

In December 2019, experts were predicting 2020 would see a modest 8.7% growth in cybersecurity spending. With the ongoing COVID-19 pandemic, it comes as no surprise that security budgets instead are being slashed, prompting Gartner to revise its estimate to 2.4% growth in spending. Are they right? Let’s look at Table 1 and the predictions over the last few years:
 

Table 1. Gartner IT security spending: predicted and actual

In researching the predictions, I found that they changed so often it was hard to land on which prediction to use when comparing them. Overall, the original predictions were not even close to the actual spending, so I used the midyear restated predictions to illustrate the gap between prediction and actual spending. The past two years’ predictions have proven to be off by an average of 3.6%. Assuming the variance remains consistent, this means as much as $4.44 billion less could be spent than what is predicted. If that happens, it would result in a decline in security spending for the first time—perhaps ever.

As the disappearing budget crisis rears its ugly head, companies must hunker down and prepare for more spending cuts. COVID-19 has made enabling working from home an existential issue for many organizations, which are now focused on providing secure services in an environment where on-premises controls are no longer relevant. This has forced organizations to accelerate the creation of new processes and controls and has driven demand for cloud- and SaaS-based solutions to offload their risk and sustain their businesses. The clear takeaway is that cloud security and SaaS offerings, which may offer ancillary but weaker security services, will see budget increases to facilitate the shift, while on-premises risk budgets take the brunt of the budget decreases.

Teams that survive the pandemic while keeping their business protected can thank the risk teams for their role in correctly identifying the potential impacts of a future pandemic and helping to justify the programs used to protect their companies. There is no future without risk management, but for now the focus has to be on the here and now, and how to thrive in the new world post COVID.

A key area where reduced budgets are colliding with the added cyber-risk burden brought on by the pandemic is in the banking and financial services sector. The following are some illustrative scenarios that are likely to unfold for banking and financial organizations:

• Banks, especially large banks, run massive call centers that typically have high employee turnover, which is a risk in itself. But banks are now allowing this population of users to access customer data from their homes without direct manager supervision. Call center staff will be pushed to return to offices sooner than other roles.
• Projects that propose leveraging cloud or other remote technology will likely be approved. Where cybersecurity has formerly been considered a drag on these efforts, often because of real security concerns, companies will experience increased pressure to move forward without addressing the underlying concerns.
• Regulators are eventually going to start looking for banks to justify the risk decisions they made during the crisis.

Conclusion

Organizations likely won’t be returning to the way things were before the pandemic anytime soon, if ever. Security teams should immediately start creating full-time operating plans to support this new normal.