- Eighteen percent of Gartner customers say they intend to change their security budgets mid-cycle in reaction to "major changes in their business, risk or technology environments," said Tom Scholtz, distinguished VP analyst at Gartner, while speaking at the Gartner IT Symposium/Xpo Americas last week. The majority, 82%, change investments during annual or bi-annual cycles.
- In 2017, IT security spending increased from 5.9% to 6.2% of overall IT spend year over year, according to Gartner. But by 2019, IT security spending fell to 5.7% of overall IT spend.
- Companies in the software publishing and internet services industry spend the most on security, 9.5%, followed by banking and financial services with 7.6% spend, and government (state and local) with 5.7% of the IT budget.
The tumultuous climate companies are currently working in is the perfect time to reevaluate risk.
Despite indications of increased cybersecurity spending, the last five years security organizations have had relatively stable budgets. The range of IT security spending is between 1.7% to 11.5% of IT budgets — "this is not necessarily good or bad," said Scholtz.
The range of spend "is just a reflection of the reality that organizations find themselves in different contexts and in different positions when it comes to having to make security investment decisions," said Scholtz. It's therefore unfair to compare companies' security budgets with their peers.
"Security is about scarcity," said Scholtz. Security leaders are accustomed to working with "scarce resources" and deciding "where we are going to invest those scarce resources in order to find the optimal way of managing."
Achieving cost efficiency isn't always linked to vendor consolidation. Security spending is projected to increase on security service providers in tandem with reliance on cloud security. Over the next two to three years, more than two-thirds of organizations will use cloud security as their default "as a service" product, according to Gartner.
But even with the cloud, only 16% of organizations saw a reduction in spending through vendor consolidation, while nearly one-quarter of organizations saw an increase in spend when consolidating vendors.
Forty-one percent of organizations say improved risk posture is a benefit to vendor consolidation. While investing in technology will reduce risk as it pertains to data and the IT infrastructure, "it feels to me that we might be missing an opportunity" in investing in a culture of security, said Scholtz. Training employees on basic security practices might — in some cases — outweigh a technological solution.
If companies are strapped for investment spending, Scholtz recommends a forward-thinking cost opportunity — decide if the company can wait out the return on investment on a larger project, or if they need the benefit upfront.
"When dealing with scarcity, we must choose the alternative with the lowest opportunity cost," said Scholtz. Investing in user behaviors is one such opportunity cost that may be not as obvious as an ROI in technical solutions, like cloud access security. "We need to understand how these trade-offs work," if you choose one over the other, said Scholtz.
There are also cases where companies have the tendency to overinvest in an opportunity. Consider a company that owns an application with sufficient risk posture and delivers significant business value. But If a company has an application, positioned well in risk but comes up short in business value, "there's an opportunity for us to reallocate some of our funding," said Scholtz.
There might also be incidents where the value of an application is directly impeded by a poor risk posture. It's where opportunity cost and risk adjustment collide.
"Cost optimization is not just about cost cutting. It's about taking a portfolio approach, looking at the various areas where we can potentially cut costs," or redirect part of the budget into other areas of IT or the business, said Scholtz.