• United States



Mary K. Pratt
Contributing writer

Cybersecurity spending trends for 2022: Investing in the future

Dec 20, 20219 mins
BudgetingCloud SecurityIT Leadership

As security budgets continue to rise, where is the money going? Recent surveys offer insight into CISO spending for the year ahead.

currency / money / coins
Credit: ForYou13 / Getty Images

Enterprise spending on cybersecurity is expected to hold steady in 2022, as studies show that nearly all CISOs are getting a budget increase or level funding in the new year--only a small fraction of security chiefs will see their budgets fall.

CSO's 2021 Security Priorities Study found that 44% of security leaders expect their budgets to increase in the upcoming 12 months; that's a slight bump-up from the 41% who saw their budgets increase in 2021 over 2020. Fifty-four percent of respondents say they expect their budgets to remain the same over the next 12 months. Only 2% said they're expecting a decrease--a much smaller figure than the 6% who saw their spending drop from 2020 to 2021.

budget change 2021 slide 16

Click image to expand

Other research has found similar trends for next year.

According to PwC's 2022 Global Digital Trust Insights report, "investments continue to pour into cybersecurity" with 69% of responding organizations predicting a rise in their cyber spending for 2022. Some even expect a surge in spending, with 26% saying they anticipate a 10% or higher spike in cyber spending for the upcoming year.

Meanwhile, tech research and advisory firm Gartner estimated that spending on information security and risk management will total $172 billion in 2022, up from $155 billion in 2021 and $137 billion the year before.

Despite the steady state of funding, CISOs aren't going to be flush with cash. Security leaders and executive advisors say security departments must continue to show that they're delivering value for the dollars spent, maturing their operations, and, ultimately, improving their organization's security posture.

"Organizations know that risks are increasing every day, and as such, investments continue to pour into cybersecurity," says Joe Nocera, leader of PwC's Cyber & Privacy Innovation Institute. "We're hearing from business leaders that they'd be willing to spend anything to not end up on the front page of a newspaper for a hack, but they don't want to spend a penny more than is necessary and they want to make sure they're spending their money in the right areas. That's going to require the CEO and CISOs to work together. CISOs need to know what the right level of protection is."

Nocera adds: "Cyber investments are becoming less about having the latest products from tech vendors and more about first understanding where the business is most vulnerable, then prioritizing investments by how likely an attack will occur and how substantial that loss could be to the business."

Sam Rehman, CISO for EPAM Systems, says cybersecurity budgets for 2022 reflect the ever-increasing interest from the rest of the executive team and the board in the enterprise cybersecurity program.

According to the PwC report, "Organizations know that risks are increasing. More than 50% expect a surge in reportable incidents next year above 2021 levels."

Rehman says the volume of attacks is only one of the factors that have many organizations boosting their security spend. He says executives also see the significant impact breaches have. And how the ease of monetizing attacks in the age of anonymous cryptocurrency keeps attackers well motivated.

"Those three things have upped the game," he says.

factors slide 16

Click to enlarge image

In response, corporate leaders now want to know that they're adequately defending their organizations and that they can adequately respond to an attack; they want both protection and resiliency. They're coming to understand that there's no such thing as 100% defended, but that a strong defense can buy time--time to detect, respond and recover before significant (or even any) damage is done.

"The majority of organizations will significantly boost their spending budgets in order to protect themselves and their customers against cyberattacks," Nocera adds.

At the same time, security leaders say they're feeling pressure from external entities, in addition to their C-suite colleagues and board members, to deliver results. They're hearing from customers, business partners, and regulators that security is top of mind for them, too.

Kyle H. Lai, who as president of KLC Consulting serves as a virtual CISO for three mid-size companies, points to President Biden's May 2021 Executive Order to beef up the nation's cybersecurity as one factor influencing security budgets. He also cites the growing list of country- and state-issued consumer data privacy acts and other legislative actions as factors influencing how much money CISOs need and where they'll spend it.

"These [regulatory and legislative actions] are important to a lot of companies because they're going to have to meet these requirements, especially the companies working with the federal government or the Department of Defense," Lai says.

Survey findings back up those observations.

According to CSO's Security Priorities Study, 49% of respondents cited best practices as a determining factor on their security spending and 49% also cited compliance, regulations, or mandates as a determining factor--earning those two categories a tie for the top spot on the list.

Those were followed by the need to address the evolving risks posed by changing workforce or business dynamics--notably hybrid and remote work (41%); addressing risks that result from digital transformation such as the move to the cloud (38%); responding to a security incident that happened in their own organization (35%); and responding to a security incident that happened in another organization (25%).

Those factors correlate to where CISOs expect to spend their money in the upcoming months.

Spending priorities

CSO's survey showed that spending is spread over a number of areas, with 20% allocated to on-premises infrastructure and hardware, 19% to skilled staff, and 16% to on-premises tools and software--all of which provide the foundation for delivering security services to the enterprise.

Those priorities are followed by cloud-based security solutions (10%), consulting services (7%), cloud-based security monitory services (7%), security awareness training (7%), contracted evaluation services (6%), and external incident response services (5%).

Gartner's latest forecast for information security and risk management spending further detailed where the cash is going: nearly $77 billion will go to security services in 2022, making it by far the biggest of the spending categories; $30 billion will go to infrastructure protection; $19 billion to network security equipment; and $17 billion to identity and access management.

security budget allogaction 2021 slide 16

Click to enlarge image

Other areas getting big budgets include application security ($6.6 billion), integrated risk management ($6.4 billion), data security ($4 billion), software ($2.7 billion) and cloud security ($1.4 billion).

Shawn Eftink, senior director analyst for emerging technologies and trends at Gartner, says CISO spending can be grouped into four big areas.

The first supports location-independent security, which creates a cybersecurity program that considers identity as the de facto perimeter that needs to be protected.

The second supports the evolution of the security organization. Eftink says security departments are facing intensifying scrutiny as boards get more directors with cybersecurity experience; those board members want to see both increased efficiencies and demonstrable maturing of the security function, with decreased security product complexity being key to delivering on those expectations.

The third bucket features evolving technologies; organizations are spending more on emerging and maturing security technologies, such as breach and attack simulation tools, as well as the technologies needed to secure their growing cloud environments.

And last is outsourcing, spending that helps them bring efficiencies to their security operations as well as cope with internal staffing challenges.

security investments 2021 slide 16

Click to enlarge image.

Other security leaders have similar observations. They say CISOs are investing in access and identity management software, authentication technologies such as role-based access control (RBAC), user behavior analytics, and microsegmentation to support their maturing zero trust architecture. CISOs are spending on cloud security solutions. They're buying automation and analytics to deal with the vast scale of security data more effectively and efficiently. And they're engaging managed security services providers (MSSPs) to augment their own staff's efforts.

"Identity and access management, third-party risk management, real-time intelligence and zero trust are all big areas of security investment," Nocera says.

Smart spending

CEOs, in PwC's 24th Annual Global CEO Survey, cited cyber threats as the No. 2 risk to business prospects, second only to pandemics and other health crises. CEOs in North America and Western Europe put cyber as No. 1.

Yet at the same time, experts say CEOs aren't willing to write blank checks to their CISOs. The security chiefs' own budgets for 2022 reflect that fact.

That's with good reason, experts say.

"Spending doesn't necessarily equate to security," Eftink says, sharing an oft-repeated idea in the profession.

In fact, he says CISOs can expect that they'll have to continue driving efficiencies and become more effective with either the same or minimally increasing budgets. And to do that they're going to have to continue to shift security left, to embed it from the start into the operational processes and digital products that power the business and to weave security into the very fabric of their organizations.

"The majority of what has to happen is a transition of thinking: Security has to be an embedded piece, it can't be an afterthought. A paradigm shift has to happen," Eftink says.

Nocera agrees.

"As companies allocate money to address these problems, they also need to build systems that are integrated across the company, making cybersecurity everybody's business, not just the CISO or IT team," he says. "Ultimately, strong companywide cybersecurity operations can build trust within companies, stakeholders, and consumers, becoming a competitive differentiator. The costs companies are fronting today to strengthen their systems should be thought of as investments in their future business models."