Report: Cybersecurity Budget Growth Slows but Doesn’t Stall

Inflation hit many organizations and departments hard this year, but cybersecurity budgets were affected significantly less compared to budget and staff cuts made in other areas, according to a benchmarking report from IANS and Artico Search.

The 2023 Security Budget Benchmark Summary Report found that although year-over-year budget growth for cybersecurity was significantly lower than in 2020 and 2021, it still increased by 6 percent on average. Not everyone is experiencing this modest increase, though. Growth was slowest in sectors with more mature cybersecurity programs, such as technology, finance, and healthcare, and 37 percent of the 550 CISOs surveyed said budgets were flat or declining.

Of the CISOs whose budgets increased, 80 percent said the main driver of additional funds was something other than typical annual changes, such as a security incident, company repositioning, or a major industry disruption. Companies impacted by a security breach typically added 18 percent to cybersecurity budgets, according to the report.

Breaking down where those budgets end up, the biggest piece of the pie remains staffing and compensation costs (38 percent), followed by off-premises software (21 percent), outsourcing (11 percent), and on-premises software (9 percent).

Despite being the biggest chunk of spending, staff growth in cybersecurity also slowed down this year, with a 16 percent increase in hiring budgets compared to a 31 percent increase last year. CISOs said they have sufficient tools, but they lack the people to optimize them, the report noted.

The cybersecurity talent gap remains a widespread challenge. Estimates vary, but there is a shortage of more than 3 million cybersecurity professionals needed to support organizations today, the World Economic Forum noted.

An ISC2 survey of Japanese cybersecurity leaders found that nearly half expressed concerns about their team’s ability to keep an organization secure during times of economic uncertainty. Seventy percent said their organization’s security team faces a skills shortage, due to inadequate budgets, misaligned resources, inability to retain in-demand staff, and limited resources to train non-security IT staff.

Cybersecurity staff are also under extreme pressure, both from the avalanche of risks and the lack of team support. According to a 2022 workforce study from ISC2, 70 percent of cybersecurity professionals feel overworked, and 25 percent of cybersecurity leaders will likely change jobs as a result of multiple work-related stressors.

“As a result of geopolitical tensions and macroeconomic instability, alongside high-profile data breaches and growing physical security challenges, there is a greater focus on cybersecurity and increasing demand for professionals within the field,” said Clar Rosso, CEO, ISC2, in a 2022 press release about the workforce study. “The study shows us that retaining and attracting strong talent is more important than ever. Professionals are saying loud and clear that corporate culture, experience, training and education investment, and mentorship are paramount to keeping your team motivated, engaged, and effective.”