As the number of cybersecurity threats has increased over the last decade, CISOs and their teams have benefited from budget increases. This wellspring of security spending was meant to help organizations create more resilient infrastructures, repel outside attacks and reduce the risks presented by data breaches and leaks.
And now the COVID-19 pandemic may change all that.
As stay-at-home orders begin to lift and some workers begin to return to physical offices, organizations large and small are coming to grips with the aftermath of staying closed for months, with indicators signaling that many parts of the world could slip into an economic recession, or worse, a depression. As a result, overall IT spending is likely to take a hit, which may affect cybersecurity budgets, as well.
In May, Gartner predicted that overall IT spending will decline 8 percent between 2019 and 2020, with areas such as enterprise software and IT services taking major hits, which could signal that organizations may also spend less on security software and services. One bright spot: With the increase in remote work, companies still plan to put more of their money into cloud services such as IaaS and SaaS as well as cloud-based collaboration tools.
A slightly more upbeat report from Gartner, released in June, found security spending would increase about 2.4 percent in 2020, but that’s far from the original projection of 8.7 percent.
At roughly the same time, Forrester released its own report that found the 10-year-long increase in cybersecurity spending is now coming to an end, and many CISOs are preparing for hiring freezes and staff cuts even as issues such as ransomware and distributed denial-of-service attacks remain a threat to organizations.
“For those with requisitions that are backfilling employees that recently left, don’t expect those requisitions to get filled either. Add in that some employees will inevitably get infected and miss work, or have worse outcomes, and staffing will get and stay rocky for the foreseeable future,” the Forrester report stated.
Even security firms and vendors are finding themselves in tighter budget times. Over the last month, reports have surfaced that Sophos, which is owned by private equity firm Thoma Bravo, is bracing for a possible 16 percent workforce reduction, according to various media reports.
“We’re a bit early to see an industrywide trend on cybersecurity budgets due to COVID-19, but at this time, many security teams have had their allocated budgets put on hold or reduced altogether, as businesses adjust to revenue shortfalls,” John Hellickson, CxO Advisor for Cyber Strategy at Coalfire, an advisory firm, told Dice. “I anticipate that many organizations will see more refined budget approval processes, where they won’t necessarily be able to spend their annually approved budget as they used to.”
Shift In Priorities
As parts of the world emerge from the COVID-19 pandemic, many organizations are reassessing their priorities, such as whether to bring staff back to offices or to keep employees at home to help reduce risk. With that, CFOs are making budget decisions based on overall economic factors that are likely to affect technology issues such as spending on technology and security infrastructure.
Steve Durbin, the managing director of the non-profit Information Security Forum, notes that many organizations are likely to focus on mission-critical projects that can return a profit. After that, it’s likely that the fallout from COVID-19 will affect security hiring, buying of products and services and other cybersecurity initiatives.
“Expect to see an increase in contractor hires—with a shaving of day rates—outsourcing service contracts where prices are keenly monitored and adjusted regularly, freezing of non-essential contracts such as training, non-essential travel becoming non-existent and unfortunately, the inevitable layoffs with associated pressure on salaries across the sector,” Durbin told Dice.
Durbin believes, however, that most of these cuts will be temporary and that forward-thinking organizations know that security can’t be slashed at a time when adversaries are finding more and more ways into enterprise networks. If CISOs are smart, Dirbin added, they can use this time to strengthen their position within their organization.
“Security leaders will need to adapt, swiftly, to speaking the language of the business in relating any necessary spend to key performance indicators, alignment with strategy and cost-saving initiatives,” Durbin said. “We will see cutbacks and the need for effective management of resources will be key—but not at the cost of opening up our organizations to attack or reputational damage which hinders the return to business effectiveness and longer-term prosperity. We are set for a period of readjustment. A reboot is now in progress. And security has a chance to grab one of those seats at the table that it has been clamoring for to help in rebuilding our organizations and the larger economy in a safer, more security-manageable way.”
Coalfire’s Hellickson does not believe that most companies and organizations will start to slash security staff, especially when threats such as phishing attacks and nation-state hacking remain high due to the COVID-19 pandemic. He does, however, predict that CISOs will be asked to produce some types of cost savings, whether this means delaying hiring or rethinking the types of software and services that are being deployed.
“I don’t anticipate this will have much of an impact on the continued need for additional cybersecurity hiring, but likely will extend the hiring processes out while trying to find more versatile and well-rounded candidates,” Hellickon said. “Ultimately, this is the time for CISOs and security leaders to get better aligned to the business, and demonstrate through sound risk management practices their support for their organization’s need to manage expenses while balancing potentially increased cybersecurity risks to the enterprise.”
Follow the Money
While some see trouble ahead for security spending, not all are sure that 2020 will result in decreases. In a recent note sent to clients, Bank of America Securities actually predicts cybersecurity spending increasing about 2.8 percent this year, even as overall IT spending drops. This uptick includes investments that move away from traditional technologies such as firewalls and into cutting-edge offerings such as identity and access management, endpoint security, zero-trust initiatives and cloud-based services.
Hank Thomas, co-founder and CEO of Strategic Cyber Ventures, a venture capital firm that invests in security companies, notes that COVID-19 hit at a time of fragmentation in the security market. This is likely to lead to increased M&A activity, with larger security vendors picking up smaller companies to help round out their own portfolios.
On June 15, for example, IBM announced a deal for security firm Spanugo, which makes security assurance software. This may help Big Blue offer more cloud-based services for customers in highly regulated industries.
At the same time, these macro-security trends mean that cybersecurity budgets are not going away, merely shifting to other priorities, Thomas told Dice.
“The virus has only served as a forcing function for security leaders to more deeply review what they have in their security arsenal. Portions of security budgets are being realigned to secure remote work scenarios that companies were rapidly driven towards once the pandemic went into high gear in March,” Thomas said. “I have seen very few security budgets being slashed, simply realigned to previously underserved areas like identity and access management. In many cases, I’ve seen budgets increased over the past three months to support the rapid changes required for effective and secure business operations.”
Visit our COVID-19 Resource Center, which aims to provide the tech community with the best, most up-to-date information on the novel coronavirus.