Skip to main content
close search
site logo

Cybersecurity spending strategies in uncertain economic times

The need for strong cybersecurity programs doesn’t make it immune to cuts.

Published Aug. 25, 2022
By Sue Poremba
A trader sits at a computer in front of a wall of screens displaying stock informations at the New York Stock Exchange.
Traders work the floor of the New York Stock Exchange during morning trading on August 15, 2022 in New York City. Michael M. Santiago via Getty Images
This audio is auto-generated. Please let us know if you have feedback.

With all the uncertainty around the economy — and recession fears — organizations have to make some tough decisions as they plan 2023 budgets. 

IT budgets are expected to take a hit, as Gartner predicts that, while organizations will continue spending on IT, it will be at a much slower pace than in recent years.

If IT spending is slowing, will business leaders follow a similar approach for cybersecurity budgets? The answer is probably not. Gartner predicts that the end-user spending on both security technology and services will see an annual growth rate of 11% over the next four years, and many security professionals agree with that assessment.

That’s the way it should be, according to Bob Stevens, VP of public sector at GitLab.

“If it isn’t already, I foresee security becoming one of the top investment areas for companies and government agencies in the coming year – especially in the form of DevSecOps,” said Stevens. 

In fact, cybersecurity is now one of the top spending considerations for government and private sector leaders, according to GitLab’s 2022 Global DevSecOps Survey

The study found security is the highest-priority investment area for organizations – even outranking cloud computing. Among government respondents, 60% currently implement security capabilities for cloud native or serverless or plan to in the coming year. 

“With that goal in mind, companies and government agencies will have to increase attention and budget for cybersecurity,” said Stevens.

Impact of risk

Cybersecurity spending is extremely durable, said Karl Mattson, CISO for Noname Security. Security is commonly shielded from budget cuts because of how closely it is tied to operational and reputational risk.

“The risk exposure of a cybersecurity incident could be consequentially damaging to an organization’s mission,” said Mattson. That alone could tamper the temptation to decrease the cybersecurity budget. 

Risk exposure takes on greater urgency in an uncertain economy. If security budgets see a decrease, it can create gaps in protection. 

What appears to be a short-term solution to cost savings could end up costing a company even more in downtime, lost business, and fines as part of the aftermath of a data breach.

Where budgets could be cut (and one area that’s untouchable)

The need for strong cybersecurity programs doesn’t make it immune to cuts. If the organization has to tighten its financial belts, leadership will take a hard look at where it can cut costs in security spending. 

“If the past is an indicator of the present, then most likely tools and upgrades will take the first pass in sharpening of the pencil,” said Pam Nigro, VP of security and security officer at Medecision, and ISACA Board Chair. 

When most companies developed their cyber program, there was a strong emphasis on tools that could help the security team manage its environment. During economic uncertainty, Nigro said, it is a good time to review those tools and apply a total cost of ownership model by considering the following questions:

  • What was the initial cost of the tool?
  • What was the cost to install or implement the tool in your environment?
  • What is the operating cost of the tool? 
  • What are the maintenance costs of the tool?
  • Is the tool meeting expectations and mitigating the appropriate risk?

“After completing the assessment and review of the TCO, an opportunity for consolidation may arise without losing risk mitigation capabilities and threat intelligence,” said Nigro.

Other places where the budget could be cut without too much damage is vendor and licensing contracts and delaying new, non-critical projects.

But one potential budget cut that should be off the table and not considered unless it is a dire emergency is laying off skilled security employees. Talent is already hard to find, and retaining skilled workers is a constant challenge. 

“Now is a great time to look at your overall cybersecurity people, process, and technology areas,” said Jon Clay, VP of threat intelligence at Trend Micro. 

It is also an excellent time to identify your most significant risks, should a successful attack occur, and identify how you can improve your security posture in these areas.  

Malicious actors will not stop their attacks — instead, they will continue to evolve and identify new ways of targeting victims.  

“Cybersecurity budgets need to address this in a way that allows the business to continue to operate efficiently and effectively while ensuring their costs are spent on their most critical areas and in a way that can ensure they still have defenses that can minimize the costs of a successful attack,” said Clay

Filed Under: Strategy

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell