Organisations are spending more on security as a result of regulations, shifting buyer mindset, awareness of emerging threats and the evolution to a digital business strategy.
“Overall, a large portion of security spending is driven by an organisation’s reaction toward security breaches as more high profile cyberattacks and data breaches affect organisations worldwide,” said Ruggero Contu, research director at Gartner. “Cyber attacks such as WannaCry and NotPetya, and most recently the Equifax breach, have a direct effect on security spend, because these types of attacks last up to three years.”
>See also: Enterprise security is a matter of policy
Of the 53% of organisations that cited security risks as the No. 1 driver for overall security spending, the highest percentage of respondents said that a security breach is the main security risk influencing their security spending.
As a result, security testing, IT outsourcing and security information and event management (SIEM) will be among the fastest-growing security subsegments driving growth in the infrastructure protection and security services segments (see table below).
Regulatory compliance and data privacy have been stimulating spending on security during the past three years, in the US (with regulations such as the Health Insurance Portability and Accountability Act, National Institute of Standards and Technology, and Overseas Citizenship of India) but most recently in Europe around the General Data Protection Regulation coming into force on 28th May 2018, as well as in China with the Cybersecurity Law that came into effect in June 2016. These regulations translate into increased spending, particularly in data security tools, privileged access management and SIEM.
Gartner forecasts that by 2020, more than 60% of organisations will invest in multiple data security tools such as data loss prevention, encryption and data-centric audit and protections tools, up from approximately 35% today.
Skills shortages, technical complexity and the threat landscape will continue to drive the move to automation and outsourcing.
“Skill sets are scarce and therefore remain at a premium, leading organisations to seek external help from security consultants, managed security service providers and outsourcers,” said Contu. “In 2018, spending on security outsourcing services will total $18.5 billion, an 11 percent increase from 2017. The IT outsourcing segment is the second-largest security spending segment after consulting.”
Gartner predicts that by 2019, total enterprise spending on security outsourcing services will be 75% of the spending on security software and hardware products, up from 63% in 2016.
Enterprise security budgets are also shifting towards detection and response, and this trend will drive security market growth during the next five years.
“This increased focus on detection and response to security incidents has enabled technologies such as endpoint detection and response, and user entity and behavior analytics to disrupt traditional markets such as endpoint protection platforms and SIEM,” said Contu.
More spending: better security?
Ilia Kolochenko, CEO of High-Tech Bridge, the web security company, suggests that an increase in spending does not necessarily meaning better security.
“More does not necessarily mean better. Moreover, in light of the ubiquitous penetration of all types of technology into our everyday life, skyrocketing attacks against SCADA and emerging IoT botnets, the growth of worldwide security spending seems to be very slow and inadequate to cover at least the most important risks.”
“Many people prefer to bid on Bitcoin rather than investing in their cybersecurity. Results are clearly visible in daily media headlines announcing new data breaches and state-sponsored APTs. Hopefully, companies will re-evaluate their digital risks, implement risk-based cybersecurity strategy, revise their budgets and implement appropriate security controls to mitigate the most probable threats.”
“One should, however, be very careful not to overspend. Many companies can even reduce their current budgets by implementing risk-based approach to mitigate appropriate threats and vulnerabilities, and rigorously select vendors based on technology and not marketing claims.”