Gartner’s latest forecast for information security and risk management spending further detailed where the cash is going: nearly US$77 billion will go to security services in 2022, making it by far the biggest of the spending categories; US$30 billion will go to infrastructure protection; US$19 billion to network security equipment; and US$17 billion to identity and access management.
Other areas getting big budgets include application security (US$6.6 billion), integrated risk management (US$6.4 billion), data security (US$4 billion), software (US$2.7 billion) and cloud security (US$1.4 billion).
Shawn Eftink, senior director analyst for emerging technologies and trends at Gartner, says CISO spending can be grouped into four big areas.
The first supports location-independent security, which creates a cybersecurity program that considers identity as the de facto perimeter that needs to be protected.
The second supports the evolution of the security organisation. Eftink says security departments are facing intensifying scrutiny as boards get more directors with cybersecurity experience; those board members want to see both increased efficiencies and demonstrable maturing of the security function, with decreased security product complexity being key to delivering on those expectations.
The third bucket features evolving technologies; organisations are spending more on emerging and maturing security technologies, such as breach and attack simulation tools, as well as the technologies needed to secure their growing cloud environments.
And last is outsourcing, spending that helps them bring efficiencies to their security operations as well as cope with internal staffing challenges.
Other security leaders have similar observations. They say CISOs are investing in access and identity management software, authentication technologies such as role-based access control (RBAC), user behavior analytics, and microsegmentation to support their maturing zero trust architecture. CISOs are spending on cloud security solutions. They’re buying automation and analytics to deal with the vast scale of security data more effectively and efficiently. And they’re engaging managed security services providers (MSSPs) to augment their own staff’s efforts.
“Identity and access management, third-party risk management, real-time intelligence and zero trust are all big areas of security investment,” Nocera says.
CEOs, in PwC’s 24th Annual Global CEO Survey, cited cyber threats as the No. 2 risk to business prospects, second only to pandemics and other health crises. CEOs in North America and Western Europe put cyber as No. 1.
Yet at the same time, experts say CEOs aren’t willing to write blank checks to their CISOs. The security chiefs’ own budgets for 2022 reflect that fact.
That’s with good reason, experts say.
“Spending doesn’t necessarily equate to security,” Eftink says, sharing an oft-repeated idea in the profession.
In fact, he says CISOs can expect that they’ll have to continue driving efficiencies and become more effective with either the same or minimally increasing budgets. And to do that they’re going to have to continue to shift security left, to embed it from the start into the operational processes and digital products that power the business and to weave security into the very fabric of their organisations.
“The majority of what has to happen is a transition of thinking: Security has to be an embedded piece, it can’t be an afterthought. A paradigm shift has to happen,” Eftink says.
“As companies allocate money to address these problems, they also need to build systems that are integrated across the company, making cybersecurity everybody’s business, not just the CISO or IT team,” he says. “Ultimately, strong companywide cybersecurity operations can build trust within companies, stakeholders, and consumers, becoming a competitive differentiator.
"The costs companies are fronting today to strengthen their systems should be thought of as investments in their future business models.”