CISOs are struggling to get cybersecurity budgets: Report

The study that surveyed 550 CISO respondents within the period of April to August 2023 revealed there has been a general downtick in the allocation of funds for cybersecurity across sectors.

“Across industries, the decline in budget growth was most prominent in tech firms, which dropped from 30% to 5% growth YoY,” IANS said in a report on the study. “More than a third of organisations froze or cut their cybersecurity budgets.”

Budget growth was the lowest in sectors that are relatively mature in cybersecurity, such as retail, tech, finance, and healthcare, added the report.

Security budgets grow at a reduced pace

The budget increase for the study sample of CISOs was 6% in the 2022-2023, a significant slowdown from the 17% increase in the 2021-2022 budget cycle. The previous budget cycle (2020-2021) had observed a 16% growth.

“I think the recent economic pressures have impacted every division in every company, cybersecurity included,” said Chris Steffen, vice president – research at Enterprise Management Associates. “I don’t really take it as a de-prioritisation of cybersecurity spending but rather a cut in spending by the enterprise in general.”

In 37% of cases, CISOs reported flat or declining cybersecurity budgets, year-over-year, compared to just 21% in the 2021–2022 cycle. The budget approval rate was 35% i.e., CISOs received approval for a budget increase that was 35% of the amount they had originally requested. This was down from 52% the previous year.

“In the latter part of Q4 2022, many CISOs reported that their approved 2023 budgets were being slashed as part of an overall budget tightening,” said Steve Martano, partner at executive search firm Artico Search, which partnered with IANS for the study.

Incident-driven budget increase

Of the CISOs whose companies did increase cybersecurity budgets, 80% indicated extreme circumstances, such as a security incident or a major industry disruption, drove the budget increase.

While companies impacted by a cybersecurity breach added 18% to their budget on average, other industry disruptions contributed to a 27% budget boost.

“I think there has always been a component of security spending that is forced to be reactive: be it incidents, updated regulatory or vendor controls or shifting business priorities,” Steffen said. “To some degree, technology spending in general has always been like this, and will always likely be this way.”

“Staff and compensation” remained the biggest cybersecurity spending category, claiming 38% of the overall security budget. Hiring secured a 16% increase in allocation compared to the 6% average budget growth in the previous year.

Security budgets turning synonymous with IT spends

Although major cuts were reflected in the cybersecurity budgets of mature sectors including retail, tech, finance, and healthcare, the cybersecurity share of IT budgets across these sectors remained steady, maintaining a four-year streak.

Funds allocated to security within IT budgets averaged 11.6%, with about 40% of the CISOs saying they spend over 10% of their IT allocations on cybersecurity. About a third of the respondents said they spend less than 6% of the IT budget on cybersecurity.

“This is a symptom of shifting definitions,” Steffen said. “While there are obvious strictly IT spending considerations, security will likely always have at least a secondary consideration or opinion on that spend. For example: a traditional IT spend would be a new computer/laptop purchase. But it seems extremely unlikely that a laptop would be issued without security-related software (hardening, anti-virus, monitoring, etc).”

The report highlighted that security allocation within IT budgets follows concerning variability as certain sectors such as tech, consumer goods, and services have more than 15% allocation, compared to companies in sectors such as legal, manufacturing, healthcare, and retail, all having less than 10% allocation.