Security budgets are either flat or increasing modestly compared to 2023, due to global economic and geopolitical uncertainty, according to a new survey of CISOs. One result is slower staff hiring.
Those are the main conclusions of the annual security budget report released on Thursday by IANS Research and executive recruiting firm Artico Search.
Nearly two-thirds of respondents surveyed reported increased budgets in 2024. The average budget growth rose from 6% in 2023 to 8% this year.
But that’s only about half of the growth rates during the Covid-19 pandemic years of 2021 (16%) and 2022 (17%), when the digital transformation required to deal with staff working remotely powered spending. A quarter of CISOs said their budget this year is flat, while 12% faced declines.
“We saw more plateaued spending [this year] because organizations from a macro level have been tightening their belts,” Steve Martano, an IANS faculty member and a member of Artico Search, said in an interview.
“There’s a lot less movement in terms of leadership, who take up 40% of the security budget because of comps [compensation] and staff. That was a contributing factor as well. And we heard anecdotally in Q4 of ‘23 that early projections on security budgets were being ratcheted down, and that continued through the whole year.”
“That belt tightening continued through most of 2024. It’s a little early to say what that will look like in 2025. We’re seeing a little bit of signs of life as far as movement in the market in terms of opportunities for CISOs, but we don’t have the implications of the budgeting on that.”
The survey covered 775 CISOs, 681 of whom completed the section on budget and security headcount growth and multiyear budget trends. Just over 90% of the respondents worked for American firms, while 5% were Canadian and another 3% were from Europe and the Middle East.
The plateau in annual spending budgets is in part due to economic conditions and in part because fewer organizations need to spend on huge digital transformations, Martano said. Survey respondents said CISOs getting bigger budgets have to deal with events like data breaches, new regulatory requirements, or the organization getting a new large customer.
Those sectors seeing security budget increases are financial services, technology, retail and hospitality, and legal. Those seeing decreases are healthcare, business services, consumer goods and services, and manufacturing. These may be organizations hit hardest by inflation and that are not only cutting cyber budgets but overall spending, the report says.
Headcount growth cooling
Security headcount growth is also cooling. While still double-digit, staff was expected to grow 12% this year, down from 16% last year and 31% in 2022. Put another way, 52% of CISOs planned to add headcount this year, slightly down from the 55% of respondents in 2023 who said they would add staff, and markedly down from 68% in 2022.
For the last 12 months, the report said, it has been difficult for CISOs to add staff even when there’s a need. “Teams are being asked to do more with less, and CISOs are finding it difficult to get budget for recruiting and hiring. This puts a lot of pressure not only on CISOs, but also on their teams.”
It causes staff on the security team to get burned out, warned Martano, while picking up the slack for others and not necessarily getting the compensation they feel they deserve. “And while attrition has been relatively low in 2024, as soon as something pops up that’s interesting to them, they will likely pursue it. There’s going to be a reckoning when the market starts to open up more and people have opportunities.”
CISOs will have to look at the money they have and prioritize it, he added.
Security spending as a percentage of IT is growing
One good sign for CISOs: Security as a percentage of IT spend continues to grow. It was 8.6% in 2020, and is expected to be 13.2% this year. Security budgets measured as a percentage of corporate revenue are also up. “These upward trends indicate larger shares of organizations’ resources are being allocated to security compared to other functions,” said the report.
About half of CISOs surveyed say they are somewhat or very satisfied with their budgets. “Anecdotally,” the report added, “many CISOs think their budgets should be larger.”
But, Martano said, the security budget has to match the risk posture of the organization, unless there was a boost in spending due to a data breach or a special event. “An information security leader who asks for a budget that mis-aligns with everybody else” is a problem. “If everybody’s taking a haircut and the CISO expects an 80% increase in their budget, all else equal, that probably shows a lack of executive maturity.”
CISOs want to have more tools and offer better compensation to staff, he acknowledged. But “as this function [CISO] becomes more of a business executive function, there is an understanding that there is going to be scrutiny on the budget. It needs to be aligned with the priorities of the organization, that it’s not just security for security’s sake. It needs to be aligned with the risk posture as well.”
If a CISO wants to justify a budget increase to the CEO and board, there will have to be a catalyst, Martano said, such as digital transformation.
“To do that, CISOs need to be in front of their board, in front of the executive leadership, articulating how security fits into the broader business objectives.”