Cybersecurity spending trends, 2020

Spending is up, but perhaps not in the most needed areas, increased business leader involvement brings new challenges, while vertical industries have different requirements and priorities.

budget piggy bank spending savings security spending
Getty Images

It’s still early in the year so it’s worth posing some important questions: Will organizations increase their cybersecurity budgets in 2020?  If so, what are their requirements and investment priorities?

ESG recently published its annual IT spending intentions research for 2020.  The research can help answer these and other questions.  For example:

  • 55% of organizations will increase overall IT spending in 2020. At least half of organizations in the health care, technology, retail/wholesale, manufacturing, and business services industries will increase IT spending in 2020.
  • When asked for justifications for increasing IT spending, 36% of survey participants responded that their organization wanted to improve security and cyber risk management. This should mean that security is baked into every IT decision, but that’s not my experience. 
  • 62% of organizations will increase cybersecurity spending in 2020, while another 36% will keep cybersecurity budgets flat. Technology organizations are most likely to increase spending (73%), followed by manufacturing (68%), and retail/wholesale (67%). 
  • The top 4 areas for 2020 security investments are: Cybersecurity technologies that employ AI/ML for threat detection (32%), data security (31%), network security (30%), and cloud application security (27%). Threat detection and network security often get top billing, but the data reinforces that, as an industry, we need to pay more attention to data and application security.
  • 40% of survey respondents identified cybersecurity as the business initiative that will drive the most technology spending in their organization over the next 12 months. Cost reduction finished second with 31%.  Obviously, cybersecurity has become a business imperative, not just an IT imperative.
  • Strengthening cybersecurity tools and processes was cited as the most important of all the widely publicized and discussed technology meta trends (24%), followed by use of public cloud infrastructure (14%). Meta trends often include a lot of hype, but not so with cybersecurity – the need for improvement is very real. 
  • When asked which network infrastructure capabilities would have the greatest impact on helping their organizations grow their business over the next 12 months, 43% of respondents cited ensuring network security, the top response overall. Maximizing network performance was second at 29%.  Once again, the implication is that security should be embedded in networks at the infrastructure level.  I’m seeing a move in this direction.

With RSA rapidly approaching later this month, the ESG research data has several ramifications that should be highlighted at the event:

  1. Security is a priority for CEOs, CIOs, and corporate boards. This means that it’s not enough to talk malware detection or security data contextualization; cybersecurity vendors must be able to articulate business value.  Leaders here will describe metrics, goals, and best practices, not hyperbole.  These messages must be applicable for corporate executives and communicated in business terminology. 
  2. Industry behavior around cybersecurity varies. The ESG data reinforces my theory that cybersecurity is evolving from horizontal layers of defense to vertical business solutions.  In other words, a regional health care network with 10,000 employees has increasingly different cybersecurity requirements from a financial services organization of the same size.  Cybersecurity industry winners will recognize these differences and weave vertical expertise and communications into product development, sales, and marketing. 
  3. Some things just aren’t working. The fact that organizations increase cybersecurity budgets annually is nothing to cheer about – it means that the security industry has failed its customers in some ways.  As an industry, we should be eating a slice of humble pie and work toward understanding where we fall short and what needs to be done about it.  We also need to do more to help our customers succeed – not just sell products to one customer and move on to the next. 

Copyright © 2020 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline