Surprisingly, IT security spending has been flat for several years, recent data from Gartner show, but that doesn't mean organizations are standing still.
Investment in new security products and the emergence of leadership roles beyond the IT department suggest security is still gaining visibility at the C-suite and board levels.
By two measures – the portion of IT spending on security and IT security spending per employee – spending has stagnated since 2016.
Last year, the median level of spending on IT security accounted for just 5% of total IT spending, up slightly from 4.8% in 2017.
The median per-employee security spending of $587 is virtually unchanged from $590 in 2016. (Security spending as a portion of revenue increased, though that's largely due to declining revenue in 2020.)
For Gartner, these figures represent a baseline, as the firm expects IT spending and IT security spending to continue to grow in tandem.
"We don't see things slowing down in any significant way," said Nat Smith, senior research director with Gartner.
Spending the same amount, only on different products
Where IT security spending has shifted is in the type of IT asset it protects. From 2019 to 2021, spending on security for hardware dropped to 10% from 15%, with spending on security for software increasing to 32% from 27%.
The reason: cloud.
"Organizations want to see how vulnerable their pieces of the cloud are," he said.
Companies are pouring money into products such as cloud entitlement management, which helps manage permissions, and cloud security posture management, which identifies cloud misconfigurations and other compliance risks.
Organizations are also looking to get more for their dollar, which can mean eschewing single-use products.
Secure access service edge, for example, consolidates several security functions — including SD-WAN, VPN, firewall and zero-trust access — into a single cloud-based service.
Meanwhile, identity products often bring together governance and administration, single sign-on, access management, and multifactor authentication.
For all the evolution in spending strategy, there's a catch. Organizations that have experienced a security breach or another incident are more likely to spend – and spend wisely – than those that have not, said Isabelle Hertanto, principal research director for security, privacy, risk and compliance at Info-Tech Research Group.
After your company has been breached "you have a lot of buying power, and you're not working as hard to justify your investments," she said. Before a breach, "There's a false sense of complacency. Even if the security lead says, ‘We should be spending more.' Ultimately the person responsible is the CFO or someone who isn't a security leader. To them, it's not a priority."
Security a business, not just IT, function
Changing this perception is no small task, Hertanto said. Trusting relationships between security leaders and the rest of the executive team, as well as the Board of Directors, play an important role.
"You can't expect to convince them in a half-hour board presentation. It takes years to build that trust," she said.
Increased understanding that security is an independent business function, and not just an IT function, helps to close that gap.
Gartner projects that a single executive focused on security – namely, the CISO – will be insufficient for most large organizations as early as 2025.
Additional roles may include a chief risk officer, who manages the overall risk of business assets, or a cyber risk officer, who assesses risks such as breaches, data leaks, or cloud misconfigurations in the software products.
Software vendors may also consider a product security officer tasked with understanding the inherent risks in the products the company ships, such as any third-party resources.
With these new roles, IT security spending will move to other business units. This will force organizations to look at security in the context of business priorities, according to Hertanto.
The time is ripe to shift the perception of security as "The Department of No," she said.
"In many organizations, security is still seen as a business cost center, going against innovation and impeding growth. But security can be a business enabler," Hertanto said. "If you don't manage business risks accordingly, you can't achieve greater gains. Security can be an enabler in the same way."