September 26, 2023 – Despite the economic uncertainty and inflation, security budgets have generally continued to rise but at a lower rate than prior years, according to IANS Research and Artico Search’s just released 2023 Security Budget Benchmark Report, an annual research study that analyzes detailed cybersecurity budget data. Respondents reported an average security budget increase of six percent, a significant decrease from the 17 percent increase in the previous budget cycle, marking a 65 percent reduction in growth. Across industries, the decline was most prominent in technology firms, which dropped from +30 percent growth in 2021-2022 to +five percent this year, with more than 33 percent of organizations freezing or cutting cybersecurity budgets. This year’s report surveyed 550 chief information security officers, and other security executives provided data.
“Clearly the economic slowdown has affected even hot areas like cybersecurity recruiting,” said Matt Comyns, co-founder and president at Artico Search. “For the first time in a long time, supply and demand are less disconnected. Budgets have been tighter and people are changing jobs less frequently. So, fewer roles are coming to market. That said, we are still in the early chapters of a long book on cybersecurity transformation. Companies are still building cybersecurity programs and teams. There will be a good tailwind for cybersecurity recruiting for many years to come.”
So, has it been difficult is to recruit cybersecurity executives? “It’s a bit easier in 2023 than it has been for quite some time,” said Mr. Comyns. “That said, the cybersecurity executives who have all the desired skills needed have many options and leverage. For the top one percent of cybersecurity executives they can name their price and demands. It’s still an immature/developing function. Not all executives are created equal. The risk for companies keeps rising with more advanced threats and stricter government policies and penalties. Paying well into the seven figures for the right executive to lead this complex function is worth the cost. Just ask MGM and Caesars this past month.”
“The cybersecurity sector will continue to be messy over the next five years as companies and governments sort through this complicated challenge,” he said. “My sense is things will likely improve 10 years out. Next generation executives and technology should help a lot. Governments should have a better handle on it as well.”
“The incremental growth in cybersecurity budgets is insufficient relative to the increases in scope facing security teams,” said Nick Kakolowski, senior research director of IANS. “In the latter part of Q4 2022 and throughout 2023, many CISOs reported difficulty getting the resources they need, with some indicating outright budget freezes. With the recent public breaches at Clorox, MGM, and Caesars, we will be closely monitoring how companies approach budgeting for 2024. Our research indicates that organizations that adjust spending in response to major industry disruptions boost their budgets by 27 percent, on average.”
Today, most CISOs use security budget as a percentage of the IT budget as a key metric for internal reporting and external benchmarking purposes, said Artico Search. This CISO compensation and budget study has been tracking this metric over the past four years. Since 2020, it has increased from 8.6 percent to 11.6 percent this year, indicating an increase in security spending relative to IT spending.
“The continued digital transformation and move to the cloud is a massive change for security teams who now need to hire cloud architects, cloud engineers, and cloud compliance professionals at a fast clip,” said Steve Martano, a partner and executive recruiter in Artico Search’s cyber practice. “It is not easy to recruit professionals with these highly coveted technical skills, and talent in this area is expensive.”
“The CISO’s budget is increasing as a percentage of the IT budget because IT budgets are being cut at a faster rate than security budgets, and, in many cases, security budgets are being increased,” said Mr. Comyns. “Furthermore, security is becoming more expensive and complex, while IT is becoming increasingly commoditized.”
In this year’s sample of 550 CISOs, one-third of the respondents spent less than six percent of the IT budget on security. At the high end, 40 percent of CISOs controlled 10 percent or more of their organization’s IT budget. A small number of CISOs indicated their security budget was near or exceeding 100 percent of the IT budget.
The report also found that tech firms had the largest budgets proportional to IT spend. The variability in budgeting reflected differences in risk profiles, cyberthreat levels and cyber program maturity. This was, in part, guided by a firm’s size and industry sector. In the sample, tech and consumer goods and services sectors led, with more than 15 percent of the IT budget allocated to security—well above the overall average.
The Evolving Role of CISOs
Competition for top chief information security officers is growing fierce as companies seek to protect themselves from potentially crippling cyberattacks. Newly released compensation data from IANS Research and Artico Search shows how this role continues to transform and mature. Let’s take a closer look!
In the sample, 22 percent of CISOs worked at companies backed by venture capital or private equity. Many of them were tech firms. Compared to publicly listed companies, not-for-profit organizations and other forms of private enterprises, VC-backed firms had an outsized security budget percentage, averaging nearly 30 percent, which was more than two times the overall percentage. PE-backed firms averaged 14.2 percent.
“Many VC- or PE-backed firms operate in the tech sector, where we observe higher budget percentages for security,” said Mr. Comyns. “In addition, they are more likely to be young, small, and heavily reliant on cloud technology compared to publicly listed companies or government organizations with legacy tech and established infrastructure to manage.”
Key Growth Drivers of Security Budgets
Zooming in on the subset of CISO respondents who received a budget increase (63 percent of all respondents), the report asked them to provide the primary reason behind this increase. In 20 percent of cases, the increase was a routine annual adjustment, corresponding to an average budget increase of seven percent. For 17 percent of respondents, the top reason was an increased risk. In these situations, the average budget growth was 11 percent vs. a change in risk appetite increasing budget by 22 percent. A major industry disruption, such as highly publicized breaches, shot up budgets for 27 percent for eight percent of CISOs. The majority of respondents in this subgroup were in the healthcare sector, which was shaken by several large cyberattacks.
Mr. Martano pointed to the 15 percent of respondents who identified digital transformation as the primary reason for their 19 percent budget increase. “In many cases, strategic priority projects, such as long-term digitalization projects, were excluded from budget freezes,” he said. “These are often initiatives approved by the board and presently being executed and driven by company leadership.”
How Security Budgets Break Down
The survey data showed staff and compensation continued to be the largest category, claiming 38 percent of the security budget. Off-premises software represented 21 percent of the security budget vs. nine percent for on-prem software. Outsourcing averaged 11 percent of the security budget. “Clearly, allocations for on-premises software at companies that have their architecture mostly or fully based in the cloud are bigger than those with mostly off-premises designs,” the report said. “Furthermore, on-prem architectures have higher allocations for outsourcing, on-premises software and hardware.” More notably, companies that were fully in the cloud had a higher allocation for staff (47 percent) than companies that were fully on-prem (35 percent).
“There’s a macro transition to the cloud that’s happening across all industries and cloud-based systems require more budgeting for people,” said Mr. Comyns. “The move to the cloud means a change for security teams who now need to hire cloud architects, cloud engineers, and cloud compliance professionals. Professionals with these skill-sets are not easy to find and are expensive.”
To read the full report click here.
Contributed by Scott A. Scanlon, Editor-in-Chief; Dale M. Zupsansky, Managing Editor; and Stephen Sawicki, Managing Editor – Hunt Scanlon Media