The security budgets at enterprises that participate in 451 Research's Voice of the Enterprise (VotE): Information Security studies have continued to increase on average year over year since measurements began in 2015. This year is no exception: 80% of respondents note a planned security budget increase, while the average increase across the survey population is 17%. It comes as little surprise then that the recent Digital Pulse survey of general IT practitioners noted information security as second only to off-premises cloud services as the area of greatest budget increase in 2018.
The 451 Take
Security budgets are up, and last year's research on key projects in information security did not indicate a single technology where spending was decreasing in aggregate, even in long-tenured services. A rising tide lifts all boats, but that doesn't tell the entire story – one that sees underlying changes in the way technology services are delivered in general affecting where security spending is applied. 'Invisible infrastructure,' notably the move to hosted cloud, puts further pressure on network security and hardware-delivered services while application security focus grows. A difficult hiring environment in security raises the percentage of budget allocated to personnel expenses, and portends an increase in the use of managed security service providers (MSSPs).
Certain categories come in ahead of the study average budget increase: notably, very large enterprises (10,000+ employees) beat the overall study average with a projected 20.8% increase. Heavily regulated industries also trend higher, with financial firms reporting a 20.4% increase and healthcare organizations reporting a 19.5% increase in security spending in 2018. Further, those survey takers who classify their enterprises as 'early adopters' of new technology, which inherently take a greater technology risk position based on service maturity, project their 2018 security spending to be 20.6% higher this year.
Figure 1: Information Security Spending Change over Time
Source: Voice of the Enterprise: Information Security, Budgets and Outlook 2017
"[Security] is definitely a cost and it's recognized as a cost. But I think it's recognized as a needed cost." – Mid-Level Management, 250-499 Employees, $100M-$249.99M Revenue, Software, IT & Computer Services
"[Budget] is such a movable feast of, who would have thought six months ago that we'd have been doing an out of band patch on every single piece of hardware that we have because it either had an Intel chip in it, an AMD chip in it, or an ARM chip in it.... The only thing we didn't patch was our mobile phones.... When you've got things like Meltdown.... Spectre, there's always going to be that sort of thing that's going to come out of the woodwork, so no, I don't think you'll ever have a budget that will allow you to be able to say, 'Yes, we've got every vulnerability covered.'" – IT/Engineering Managers and Staff, 500-999 Employees, $50M-$99.99M Revenue, Education & Training
Shifting away from network security
Network security tools today capture the highest percentage of security budgets, but that share continues a three-year trend of being under pressure. While cloud is not the only reason, the concept of securing the traditional top-down campus network has historically been challenged by other factors such as mobility and new internal traffic patterns, and hosted cloud services continue a steady growth pattern that coincides with network security's deceleration. About 40% of respondents to the recent Budgets and Outlook survey report IaaS usage, up from 31.5% in 2015. PaaS usage grew from 18% to 29% over the same period.
The on-premises perimeter will continue to have a role, with IT architecture likely remaining a hybrid affair between on-premises and cloud in the immediate future, but the tea leaves are clear: as a percentage of security budget, these tools have dropped from 40% to 35.9% in three short years. Further, the budget allocation to hardware-based security services, which generally lack both portability and the ability to effectively function in virtual infrastructure, has fallen from 20% in 2015 to 17% (see Figure 3), with a further predicted decline to 15.5% in 2019. None of this is news to the major network security vendors, which have largely taken steps to broaden their security offerings.
Figure 2: Spending Distribution among Information Security Tool Categories
Source: Voice of the Enterprise: Information Security, Budgets and Outlook 2017
"[We] are switching to a software-defined network internally and it's much easier for us to use software-defined tools to be able to tap in, access, and be able to respond to the traffic. And the appliances are having harder and harder times getting within that traffic flow because it's virtual and the network changes. And you either force yourself to go back to an older legacy model of network capabilities to feed these systems or you need software appliances and taps that actually work from there. So we're replacing." – Senior Management, 2,000-4,999 Employees, $1B-$2.49B Revenue, Financial Services
Application security had a notable increase in budget share in 2017 to almost 15% on average. As infrastructure continues to abstract, a concept we refer to as invisible infrastructure, and application portability requirements (on-premises and in the cloud, across clouds) increase, previously relied on network security controls will continue to erode. If security must follow the application, it must be built into the application.
Budget to the people
The 2017 VotE: Information Security study on organizational dynamics made clear that organizations have an information security skills shortage (67.3% of those surveyed), and that hiring is difficult (47.6% of very large, or 10,000+-employee, enterprises cited hiring as extremely difficult). Retention is only slightly better: 28.6% of very large enterprises note that retention is very difficult in the current market climate as well.
Adding new people is also the top way security teams changed last year. These factors help explain why more of security budgets are going toward personnel costs, capturing 39.6% of budgets in the most recent study, up from 34.1% last year. MSSPs, which can replicate certain security operational functions but do so while building an economy of scale by serving multiple organizations, can alleviate at least parts of this resource crunch. As a result, MSSPs saw modest budget allocation growth at the end of 2017 to 14.7%, but security professionals expect that stake to grow to 17.3% by 2019.
Figure 3: Spending Distribution among People, Software, Hardware, and Services
Source: Voice of the Enterprise: Information Security, Budgets and Outlook 2017
The cloud allocation
Finally, the growth of hosted cloud services has a macro-level effect across all categories of security tools, whether flavors of the same vendor security tool can be used both on-premises and in hosted environments or whether entirely different approaches to a tool's function are required for the cloud. Respondents reported an average of 22.1% of their security budgets being allocated toward securing their hosted cloud, and that percentage actually trends higher the smaller the organization, likely because smaller firms have less of a legacy investment in on-premises infrastructure to continue to secure. In firms with 1-249 employees, 29.5% of budget is allocated toward securing the hosted cloud, 22.9% in firms with 250-999 employees. This is versus an allocation of 17.5% at the largest firms, those with 10,000+ employees.
An organization's approach to new technology adoption also has a direct effect on how much of its security budget is allowed toward the hosted cloud. Organizations that classify themselves as early adopters devote 37.6% toward cloud security, versus those that take a 'sooner rather than later' approach (22.6%) and those that self-classify as conservative (14.8%). Put another way, those further into the cloud journey, in whatever form that takes, including private cloud, are bearing the cost of implementing increasingly sophisticated answers to securing that environment. The current operating environment, supporting both hosted cloud and on-premises for the foreseeable future, will not provide any alleviation to security budgets, as a mix of new and established players offer answers to securing the cloud that are increasingly adopted by enterprises that move slower toward new technology.
"In some cases [security] is more costly because not all the providers have caught up.... You can have 500 micro-servers that are very, very small as opposed to 100 big always-up solutions. So now you're having to license 500 little instances as opposed to 100 big ones. And all these solutions, from a security perspective, haven't quite got up to speed with the pricing models to match.... There's definitely increased spending that I see now for security solutions in the cloud that we're still dealing with or going to have to face over this next couple of years." – Mid-Level Management, 250-499 Employees, $100M-$249.99M Revenue, Software, IT & Computer Services