Cybersecurity spending and economic headwinds in 2023

Now that everyone, their brother, sister, and dog have chimed in on cybersecurity predictions for 2023, here are a few observations based on some recent ESG research.

First the numbers: 53% of organizations will increase IT spending in 2023, 30% say IT spending will remain flat in 2023, and 18% forecast a decrease in IT spending. As for cybersecurity, 65% of organizations plan to increase cybersecurity spending in 2023.

These numbers mean that some organizations with flat or decreasing IT budgets will still increase spending on cybersecurity. This trend is further supported by the fact that 40% of survey respondents claim that improving cybersecurity is the most important justification for IT investments in 2023. This research was conducted in late 2022 when respondents were well aware of the economic headwinds and built appropriate assumptions into their budget planning.

While the data points to fairly robust cybersecurity spending increases, it also indicates some caution. Seventy percent of survey respondents say that budget cuts or freezes are likely or possible this year. If cuts occur, IT and security professionals claim they will trigger hiring freezes, project delays, and greater vendor scrutiny.

How CISOs will respond in 2023

So, spending increase predictions must be tempered as organizations are prepared to step on the brakes if need be. Based on all the ESG data, I believe:

1. CISOs will focus inward. With IT spending slowing, CISOs will assess their existing security programs with a fine-tooth comb. This will lead them to concentrate their efforts in two areas: security hygiene and posture management and improving existing processes and controls. Security hygiene and posture management initiatives will include discovering, analyzing, and monitoring all IT assets, so technology vendors such as Axonius, Brinqa, Detectify, JupiterOne, Noetic Cyber, Panaseer, and Sevco should benefit. ServiceNow should also see activity, especially with existing customers looking to consolidate security and IT operations. In terms of the second initiative, improving existing processes and controls will include process automation and SOAR, operationalizing MITRE ATT&CK, and more frequent security testing.
2. Investments will be more tactical than strategic. Security teams are already eschewing long-term contracts and postponing complex resource-intensive projects. This means they’ll break project and platform initiatives into digestible bites, investing in high-priority needs. Rather than big bang zero-trust plans, security and IT teams will focus on application and data classification, access policies, policy enforcement, and network segmentation. Similarly, security operations teams may be reluctant to replace legacy SIEM platforms in 2023. Rather, they’ll surround SIEM with security data lakes, XDR, and SOAR tools, supporting them with a greater emphasis on security engineering, homegrown analytics, and staff augmentation services. While economic downturns often lead to training budget slashing, this won’t happen in 2023. To drive employee retention and improved productivity, CISOs tell me they plan to increase investments in staff training and education.
3. Consolidation will give way to federation. Yes, organizations will continue to consolidate vendors and integrate technologies, but at a more gradual pace. Meanwhile, they’ll focus their efforts on individual security domains—cloud security, email security, endpoint security, network security, etc. This will lead to more open domain-based platforms, stitched together through APIs and a growing array of open standards. I believe 2023 will be a big year for the Open Cybersecurity Schema Framework (OCSF), introduced at Black Hat 2022. Security technology federation will be part of the day-to-day lexicon before 2024 arrives. Hmm, sounds a bit like security operations and analytics platform architecture (SOAPA) to me.
4. Services spending will dominate budgets. The ESG research indicates that nearly half (45%) of organizations say they have a problematic shortage of cybersecurity skills. This means they don’t have an adequately sized staff and they lack some advanced but necessary cybersecurity skills. Despite industry layoffs, cybersecurity professionals will remain in high demand. CISOs have no choice but to augment internal staff and skills with service providers in areas like managed threat intelligence programs, managed detection and response, and identity as a service.

Cybersecurity is a business priority, and many organizations need a lot of help here. Investments will continue but they’ll be a “back-to-basics” vibe throughout the year. CISOs will also fine-tune planning as the year unfolds.

Some hyperbolic vendors will eat humble pie in 2023 while VCs find themselves drinking house wine at the Rosewood hotel in Menlo Park. Alternatively, security professionals and CISOs will benefit from more practical programs focused on priorities, existing resources, and getting the biggest bang for their security spending bucks.