The security budgets at enterprises that participate in 451 Research's Voice of the Enterprise (VotE): Information Security studies have continued to increase on average year over year since measurements began in 2015. This year is no exception: 80% of respondents note a planned security budget increase, while the average increase across the survey population is 17%. It comes as little surprise then that the recent Digital Pulse survey of general IT practitioners noted information security as second only to off-premises cloud services as the area of greatest budget increase in 2018.

The 451 Take

Security budgets are up, and last year's research on key projects in information security did not indicate a single technology where spending was decreasing in aggregate, even in long-tenured services. A rising tide lifts all boats, but that doesn't tell the entire story – one that sees underlying changes in the way technology services are delivered in general affecting where security spending is applied. 'Invisible infrastructure,' notably the move to hosted cloud, puts further pressure on network security and hardware-delivered services while application security focus grows. A difficult hiring environment in security raises the percentage of budget allocated to personnel expenses, and portends an increase in the use of managed security service providers (MSSPs). 

Certain categories come in ahead of the study average budget increase: notably, very large enterprises (10,000+ employees) beat the overall study average with a projected 20.8% increase. Heavily regulated industries also trend higher, with financial firms reporting a 20.4% increase and healthcare organizations reporting a 19.5% increase in security spending in 2018. Further, those survey takers who classify their enterprises as 'early adopters' of new technology, which inherently take a greater technology risk position based on service maturity, project their 2018 security spending to be 20.6% higher this year.

Figure 1: Information Security Spending Change over Time

Source: Voice of the Enterprise: Information Security, Budgets and Outlook 2017

"[Security] is definitely a cost and it's recognized as a cost. But I think it's recognized as a needed cost." – Mid-Level Management, 250-499 Employees, $100M-$249.99M Revenue, Software, IT & Computer Services

"[Budget] is such a movable feast of, who would have thought six months ago that we'd have been doing an out of band patch on every single piece of hardware that we have because it either had an Intel chip in it, an AMD chip in it, or an ARM chip in it.... The only thing we didn't patch was our mobile phones.... When you've got things like Meltdown.... Spectre, there's always going to be that sort of thing that's going to come out of the woodwork, so no, I don't think you'll ever have a budget that will allow you to be able to say, 'Yes, we've got every vulnerability covered.'" – IT/Engineering Managers and Staff, 500-999 Employees, $50M-$99.99M Revenue, Education & Training

Shifting away from network security

Network security tools today capture the highest percentage of security budgets, but that share continues a three-year trend of being under pressure. While cloud is not the only reason, the concept of securing the traditional top-down campus network has historically been challenged by other factors such as mobility and new internal traffic patterns, and hosted cloud services continue a steady growth pattern that coincides with network security's deceleration. About 40% of respondents to the recent Budgets and Outlook survey report IaaS usage, up from 31.5% in 2015. PaaS usage grew from 18% to 29% over the same period.

The on-premises perimeter will continue to have a role, with IT architecture likely remaining a hybrid affair between on-premises and cloud in the immediate future, but the tea leaves are clear: as a percentage of security budget, these tools have dropped from 40% to 35.9% in three short years. Further, the budget allocation to hardware-based security services, which generally lack both portability and the ability to effectively function in virtual infrastructure, has fallen from 20% in 2015 to 17% (see Figure 3), with a further predicted decline to 15.5% in 2019. None of this is news to the major network security vendors, which have largely taken steps to broaden their security offerings.

Figure 2: Spending Distribution among Information Security Tool Categories

Source: Voice of the Enterprise: Information Security, Budgets and Outlook 2017

"[We] are switching to a software-defined network internally and it's much easier for us to use software-defined tools to be able to tap in, access, and be able to respond to the traffic. And the appliances are having harder and harder times getting within that traffic flow because it's virtual and the network changes. And you either force yourself to go back to an older legacy model of network capabilities to feed these systems or you need software appliances and taps that actually work from there. So we're replacing." – Senior Management, 2,000-4,999 Employees, $1B-$2.49B Revenue, Financial Services

Application security had a notable increase in budget share in 2017 to almost 15% on average. As infrastructure continues to abstract, a concept we refer to as invisible infrastructure, and application portability requirements (on-premises and in the cloud, across clouds) increase, previously relied on network security controls will continue to erode. If security must follow the application, it must be built into the application.

Budget to the people

The 2017 VotE: Information Security study on organizational dynamics made clear that organizations have an information security skills shortage (67.3% of those surveyed), and that hiring is difficult (47.6% of very large, or 10,000+-employee, enterprises cited hiring as extremely difficult). Retention is only slightly better: 28.6% of very large enterprises note that retention is very difficult in the current market climate as well.

Adding new people is also the top way security teams changed last year. These factors help explain why more of security budgets are going toward personnel costs, capturing 39.6% of budgets in the most recent study, up from 34.1% last year. MSSPs, which can replicate certain security operational functions but do so while building an economy of scale by serving multiple organizations, can alleviate at least parts of this resource crunch. As a result, MSSPs saw modest budget allocation growth at the end of 2017 to 14.7%, but security professionals expect that stake to grow to 17.3% by 2019.

Figure 3: Spending Distribution among People, Software, Hardware, and Services

Source: Voice of the Enterprise: Information Security, Budgets and Outlook 2017

The cloud allocation

Finally, the growth of hosted cloud services has a macro-level effect across all categories of security tools, whether flavors of the same vendor security tool can be used both on-premises and in hosted environments or whether entirely different approaches to a tool's function are required for the cloud. Respondents reported an average of 22.1% of their security budgets being allocated toward securing their hosted cloud, and that percentage actually trends higher the smaller the organization, likely because smaller firms have less of a legacy investment in on-premises infrastructure to continue to secure. In firms with 1-249 employees, 29.5% of budget is allocated toward securing the hosted cloud, 22.9% in firms with 250-999 employees. This is versus an allocation of 17.5% at the largest firms, those with 10,000+ employees.

An organization's approach to new technology adoption also has a direct effect on how much of its security budget is allowed toward the hosted cloud. Organizations that classify themselves as early adopters devote 37.6% toward cloud security, versus those that take a 'sooner rather than later' approach (22.6%) and those that self-classify as conservative (14.8%). Put another way, those further into the cloud journey, in whatever form that takes, including private cloud, are bearing the cost of implementing increasingly sophisticated answers to securing that environment. The current operating environment, supporting both hosted cloud and on-premises for the foreseeable future, will not provide any alleviation to security budgets, as a mix of new and established players offer answers to securing the cloud that are increasingly adopted by enterprises that move slower toward new technology.

"In some cases [security] is more costly because not all the providers have caught up.... You can have 500 micro-servers that are very, very small as opposed to 100 big always-up solutions. So now you're having to license 500 little instances as opposed to 100 big ones. And all these solutions, from a security perspective, haven't quite got up to speed with the pricing models to match.... There's definitely increased spending that I see now for security solutions in the cloud that we're still dealing with or going to have to face over this next couple of years." – Mid-Level Management, 250-499 Employees, $100M-$249.99M Revenue, Software, IT & Computer Services

Daniel Kennedy
Research Director, Voice of the Enterprise: Information Security

Daniel Kennedy is the Research Director for Information Security for 451 Research’s Voice of the Enterprise (VoTE) quantitative research product, where he is responsible for managing all phases of the research process. He is an experienced information security professional who has written for both Forbes online and Ziff Davis, has provided commentary to numerous news outlets including The New York Times and The Wall Street Journal, and his personal blog Praetorian Prefect was recognized as one of the top five technical blogs in information security by the RSA 2010 Conference.
William Fellows
Research Vice President

William Fellows is a cofounder of The 451 Group. As VP of Research, he is responsible for the Cloud Transformation Channel at 451 Research. This Channel provides a point of intellectual convergence for 451 Research around cloud computing, in much the same way that the industry is converging on cloud from all points. In addition to keeping tabs on players entering the cloud and IT services space with disruptive business models, new technology and innovations in service delivery, William has also created 451 Research's Digital Economics unit. 
Jean Atelsek
Analyst, Cloud Price Index

Jean Atelsek is an analyst for 451 Research’s Digital Economics Unit, focusing on cloud pricing in the US and Europe. Prior to joining 451 Research, she was an editor at Ovum, spiffing up reports, forecasts and data tools covering telecoms and service providers, fixed and wireless networks, and consumer technology among other topics. 

Want to read more? Request a trial now.