Budgeting for Cybersecurity in a Down Economy

Budgeting for Cybersecurity in a Down Economy

Michael Hill

Senior Intelligence Analyst

October 30, 2023

5 minutes

Cybersecurity Awareness Month brings a critical reminder to the forefront of the tech community, and this year's theme, "Secure Our World: 2023 and Beyond," couldn't be more timely or poignant, particularly as organizations worldwide grapple with the complexities of budgeting in a down economy. In these uncertain financial times, the instinct to tighten belts is natural, yet as our latest research indicates, cybersecurity must be seen not as a luxury, but as an indispensable element of business strategy and continuity.

From the growing sophistication of cyber threats and the escalating costs of data breaches to the less tangible but equally critical value of customer trust and brand reputation, this article will guide you through the myriad reasons cybersecurity should stay clear of the budgetary chopping block. We'll provide insights on how to smartly allocate your cybersecurity budget, ensuring that every dollar not only enhances your defensive posture but also supports overall business resilience and growth, even amid economic challenges. This article explores why the investment in cybersecurity isn't just a commitment to protecting data and systems; it's an investment in the very health and future of your business in an increasingly digital world.

Analyst Notes

While the global pandemic may not have called forth an immediate economic downturn, current conditions would seem to indicate it just took its own sweet time to get here. Now that it has, enterprise companies are reckoning with its impacts across all aspects of their operations, including IT security. As a result, security leaders not only find themselves faced with expanding attack surfaces, but also shrinking budgets for the tools they need to adequately bolster their cybersecurity defenses.

To say that down market conditions present a challenge to CSOs, CISOs and CXOs attempting to sufficiently budget for cybersecurity is an understatement. As enterprises grow more and more dependent on technology, effective cybersecurity only becomes that much more of a must-have. That said, the fact of cybersecurity being largely seen as an enterprise IT necessity hasn’t necessarily shielded it from the ramifications of the recent downturn.

With enterprise technology budgets in decline, technology executives are having to not only look closely at how their budgets are being impacted, but also rethink their interactions with vendors and plot new strategies for evolving their security practices to keep pace with the ever-expanding attack surface and the increasing complexity of cyber threats. As a result – and perhaps not surprisingly, ROI has ascended to the top of many IT departments’ priority lists, as they find themselves essentially forced to focus on cost-effectiveness.

In fact, according to a recent study fielded by VC firm YL Ventures, 31% of CISOs said that product ROI is currently their top vendor criteria, while the same percentage said that quick time-to-value in a POC (proof of concept) is what they’re most looking for in a vendor. The study, which drew on the expertise of an extended network of prominent cybersecurity professionals to look at the down market’s effects on CISOs and cybersecurity budgeting, also revealed that the cybersecurity budgets have decreased for 33% of CISOs and that 21% have seen their budgets be frozen, restricting any new spending.

While such conditions would seem to leave security leaders with their hands tied about the cybersecurity postures of their organizations, many are turning to innovative practices to cut costs and still try to stay ahead of threat actors. Among the budgetary strategies that CISOs are deploying to ride out the downturn are automation (80%), consolidation (70%) and the shedding of less essential solutions (43%). As for areas of cybersecurity they are currently prioritizing most, 75% singled out cloud security, 50% pointed to data security, and 47% said application security.

Another study, this one conducted by InfoSec market intelligence provider IANS Research and Artico Search, an executive search firm that partners with VCs and PEs, similarly highlighted a widespread downslide in the allocation of funds for cybersecurity across a variety of sectors. Dubbed “The 2023 Security Budget Benchmark Report,” the study collected responses from 550 CISOs and security executives, 37% of which reported flat or declining cybersecurity budgets, in the 2022-2023 budget cycle, compared to just 21% in the 2021-2022 cycle.

Not only that, but 80% of the CISOs whose companies managed to increase their cybersecurity budgets in the 2022-23 cycle said that any budget increases were driven security incidents or disruptions. Still, budget-cutting has been more common, especially in tech firms, where budgets declined in growth from 40% to 5% year-on-year, and more than a third of organizations in general either froze or cut their spending on cybersecurity.

And it doesn’t stop there. Yet another study, InformationWeek’s “Cyber Risk and Resiliency Report: How CIOs Are Dueling Disaster in 2023,” revealed some insightful, sometimes surprising, results among its findings. Based on a survey of 180 IT executives and cybersecurity professionals, the report provides a front-row seat to the cybersecurity-related challenges currently being faced by enterprises and the ways in which they are seeking to address them, especially in the face of current IT security shortages.

In addition to highlighting the barebones budgetary resources that enterprise IT departments all too often allocate to keeping pace with a vast array of emerging cyber threats, the InformationWeek report examines the top threats and disruptions to enterprise businesses, spending on defense versus spending on recovery, cybersecurity staffing issues, the high cost of ransomware, cyber liability insurance, and more.

The study includes its share of striking findings. For example, just 24% of the IT and cybersecurity professionals surveyed said they have a fully staffed cybersecurity team. Further, a mere 26% of organizations said they test their incident response procedures on at least a monthly basis, while 12% admitted to never testing them at all.

Perhaps most striking, while nearly half of those surveyed said they encountered a significant cybersecurity threat to their business over the last year, 39% of organizations apparently allocate less than a tenth of their overall IT budgets to security efforts. So where does that leave them?  

Well, turning back to the findings of the previously referenced YL Ventures study, it would seem to put them in the difficult position of having to make some difficult choices aimed at simplifying their security stacks in order to streamline operations. As revealed in the resulting report, “The Down Market’s Downmarket Effects on CISOs,” those choices invariably come with consequences, not just for IT personnel but, more often than not, for entire organizations.

With current budgetary pressures driving their decision making, more than 43% of respondents to the YL Ventures survey said they have sought to consolidate cybersecurity defenses by ending customer contracts, with 27% relying on free trials as stopgap solutions. On top of that, 23% have laid off personnel, with a whopping 70% reporting that are attempting to save on labor by deploying more automation in its place.

In the face of all this doom and gloom, opportunities remain for cybersecurity vendors who are willing to entertain “land and expand” approaches to making inroads with enterprise customers. In addition to displaying a depth of understanding for the current struggles of CISOs (“it is very insensitive to approach us with costly contracts on the heels of layoffs,” offered one YL Ventures survey respondent), such an approach has the potential to build trust and, in turn, build products that have a more meaningful impact for organizations. Above all, it’s important for vendors to keep in mind the cyclical nature of the cybersecurity market and the high probability that, sooner or later, is the factors currently limiting CISOs will be a thing of the past.

Reach out to our analysts for custom research and expert guidance, and take the first step in transforming your cybersecurity strategy into a powerful tool for business resilience.