Is Chaos the New Normal? Security Spending Trends to Watch in 2019
By Zane Pokorny on February 5, 2019
In a new study, Forrester looked at how global security decision makers prioritized their spending, examining trends between industries and organizations of different sizes in order to make predictions about how security leaders should plan their budgets in 2019.
What Forrester’s analysts found spoke to the rapidly changing environment we now live in — in broad strokes (and without much hyperbole), “chaos is the new normal” for even the most experienced security leaders. The process of digital transformation that leading companies are undergoing is not only increasing efficiency and productivity, but also massively expanding attack surfaces for everyone.
The short answer to what that all implies, according to the report, is that “your security budget needs room to surge.”
Chaos Is the New Normal
“Security leaders exist in a universe where seemingly infinite external factors can derail the most disciplined budgets,” the report says. Threats come from both internal and external sources, and our own biases can sometimes make them difficult to prioritize.
Big data breaches or changing market forces might make the news and capture the attention of decision makers who have less of a technical background, but more subtle threats like malicious insiders, misconfigured software, and unintended policy violations can pose just as much (if not more) risk to any organization not prepared to handle them.
Splurging (or Not) on Security
Forrester divided the organizations they analyzed into three groups, based on the percentage of their overall IT budget that they devoted to security: between zero and 10 percent, between 11 and 20 percent, and between 21 and 30 percent. Although many groups spent more than 30 percent of their IT budget on security at the time of the research, Forrester concluded that these tend to be temporary adjustments to expenditures in response to a security event such as a breach, and most every organization generally fell into one of the three brackets in the long term.
In addition to dividing groups into three spending brackets, Forrester also broke down spending by industry, looking at examples from six subgroups: manufacturing, retail and wholesale, business services and construction, utility and telecom, financial services and insurance, and public sector and healthcare.
For groups that spent between zero and 10 percent of their IT budgets on security, Forrester learned the following:
- 54 percent reported that they did not know of any breaches to their company’s sensitive data in the last 12 months.
- The two industries that were best represented in this bracket were financial services and insurance, and public sector and healthcare. 31 percent of organizations in each of these industries were in this spending bracket.
For groups that spent between 11 and 20 percent of their IT budgets on security, Forrester learned the following:
- 42 percent reported that they did not know of any breaches in their company’s sensitive data in the last 12 months, while 26 percent reported three or more breaches.
- The industry best represented in this bracket was retail and wholesale, at 40 percent. Not far behind was utility and telecom, at 38 percent.
For groups that spent between 21 and 30 percent of their IT budgets on security, Forrester learned the following:
- 48 percent of organizations in this bracket reported that they did not know of any breaches in their company’s sensitive data in the last 12 months, while 24 percent reported three or more breaches.
- No industry saw a majority of organizations fall into this bracket. Utility and telecom was the highest, at 32 percent.
There’s a slight but significant difference, of course, between a company being breached and its knowing that it has been breached. Organizations in healthcare and financial services, for example, hold massive amounts of sensitive data like private health records, bank statements, social security numbers, and other valuable sets of personally identifiable information (PII), and yet, both industries are best represented in the lowest spending bracket. Forrester notes that their lower spending means they can’t quantify risk or monitor for threats as effectively — this may give them a false sense of security.
‘2019 Will Be the Year of Security Services’
Across the spending brackets, another trend held true: organizations began spending more money on security services than products between 2017 and 2018.
This trend can be explained by the following:
- Cybersecurity Skills Shortage: The various roles that make up the cybersecurity field — like security operations, incident response, or vulnerability management — require years of experience and specialization. That’s leading to a growing gap between the pool of qualified workers and the demand. Many organizations are responding to this disparity by turning to security services instead of products, outsourcing this requirement to third parties.
- Fast Change and Innovation: The world of cybersecurity is rapidly evolving and becoming more crucial to the successful operation of nearly every industry. “With each advancement in cybersecurity technologies,” Forrester writes, “firms struggle to train their security workforce to make the best use of the tools they license.” The solution, again, is to outsource to security services like MSSPs.
What to Invest in: Threat Intelligence, Training, Third-Party Requirements
So what should you spend on? At a broad, strategic level, Forrester notes that there is some consensus across industries about what to focus security spending on: aligning security capabilities with cloud investments, training their employees to follow better security practices, and a growing emphasis on threat intelligence.
- Aligning With Cloud Infrastructure: As data processing and storage requirements grow, companies are increasingly relying on cloud infrastructure. “No matter how big — or small — your security budget is in 2019,” Forrester notes, “cloud strategy should play a prominent role in your strategic priorities.” That means “hardening existing configurations, validating that existing processes work for cloud deployments, creating new security capabilities for cloud-based deployments, and training developers and systems administrators how to secure cloud-based applications and infrastructure.”
- Better Internal Training: As Forrester puts it, “people still comprise a massive amount of attack surface for companies.” Whether it’s malicious insiders or innocent respondents to a phishing attack, the easiest way to get access to a network is usually just by getting access to valid credentials. Teaching best security practices to employees across a company can help shore up this weakness.
- Threat Intelligence: Organizations across the three spending brackets are increasingly relying on cyber threat intelligence to improve their security posture. The old security model of building a strong perimeter around your network doesn’t hold up when what counts as “within the wall” includes third parties like cloud storage facilities and partners with access to sensitive data. What’s needed today is improved awareness of the threat landscape — something that many threat intelligence platforms can provide.
Get the Full Report
A summary like this one might do in a pinch, but you’ll want to see the full report — it includes a much more extensive breakdown of spending by industry and bracket, more detailed predictions for 2019, recommendations for spending, and explanations of the methodology Forrester relied on. Download your complimentary copy of the report today.