Cybersecurity Budget Rose in 2019, Uncertainty Prevails in 2020

Budgets rise as IT complexity continued to challenge companies, with identity and access management technology an increasingly common focus.

4 Min Read

Companies increased spending on cybersecurity before the shift to remote work during the coronavirus pandemic, with more budget spent on identity and access management, cyber monitoring, endpoint security, and network security, according to a study released by consulting giant Deloitte and the Financial Services Information Sharing and Analysis Center (FS-ISAC). 

Three major trends — digital transformation of businesses, remote work, and the shift to more partners and contractors — had already resulted in the lines blurring between the inside-the-office and remote worker, imparting momentum to the adoption of zero-trust principles, the report says. The trends have led companies to spend more per employee on cybersecurity in 2019 — 10.9% of their IT budget, or about US$2,700 on average per employee, up from US$2,300 for the prior year.

While the impact of the coronavirus pandemic has made cybersecurity budgets unpredictable, the shift to remote work will likely cause some changes in focus for cybersecurity budgets, but not necessarily the overall amount, says Julie Bernard, principal and lead of the cyber-strategic risk advisory team at consultancy Deloitte.

"I don't know that the actual dollar amount is going to change that much," she says. "I think that perhaps instead of some expansive program that some CISOs had wanted to take on — they will have to get more practical and tactical in the next several months."

While the business environment has changed because of the coronavirus pandemic, many of the challenges that face companies remain the same, according to the study. The top two challenges for business are the complexity of today's IT environments and a lack of skilled cybersecurity professionals. 

Meanwhile, their top security priorities are access control, protective technologies, and data security. Identity and access management (IAM) jumped up in the latest report to the top priority, up from the No. 2 spot in the previous two years. Budget assigned to procure identity and access management has steadily grown over the years, as a share of the overall cybersecurity budget, the companies found. In 2018, the average company used 11% of the cybersecurity budget on IAM, which grew to 14% in 2019 and 16% in 2020.

Data security technologies have also crept up in priority for the past three years, to land at the No. 3 spot this year, the report says.

"Some of the focus on data security is regulatory," Bernard says. "But I think that also data security becomes more important as you move to the cloud."

The study of corporate cybersecurity budgets used three metrics to measure expenditures: cybersecurity costs compared with total corporate revenue, costs as a percentage of IT budget, and costs per full-time employee. All three measures of cybersecurity expenses rose in 2019, according to the study. 

Cybersecurity budgets as a percentage of corporate revenue rose to an average of 0.48%, up from 0.34%. As a percentage of the IT budget, cybersecurity rose to 10.9% in 2019, up from 10.1% in 2018. And, as measured per employee, cybersecurity rose to $2,691 per full-time worker in 2019, up from $2,337 the prior year.

Financial firms spend the most on cybersecurity, as a share of employee cost. The average financial utility firm spent US$4,375 in 2020, up from $3,630 in the prior year. The amount represents about 0.8% of company's revenue, the highest percentage among the industries tracked in the report. 

Companies typically spend anywhere from 7.2% to 15.2% of their IT budgets on cybersecurity in any given year, the report says.

"It is rare that I find any company that is spending so little that it seems that they are derelict," she says. "Everyone is trying to get that portion right. And one of the reasons that we embarked on this study, we see the cyber spend on IT spend a lot, because people use it as a metric."

Related Content:



Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights