Information Security Spending Will Top $101 Billion By 2020

Security executives often blame a lack of budget for their inability to stay on top of existing and emerging threats. But recent trends in security spending suggest that they would have less of an argument for doing so over the next few years.

In 2016, organizations around the world will spend a record-breaking $73.7 billion on cyber security measures. By 2020 that number will jump to over $101 billion at a compound annual growth rate of 8.3 percent, according to newly released estimates from IDC.

For perspective, the projected growth in security spending is more than double the rate at which overall IT spending will likely grow in the same five-year period.

A lot of the increased investment will be on security services. This year nearly 45 percent of all cybersecurity investments will be on managed security services consulting, integration, and related services. The managed security services segment alone will generate revenues of $13 billion in 2016, IDC said in its forecast.

Private and public sector organizations will also spend heavily on software products, especially endpoint protection tools, vulnerability management products, and identity and access management software. Spending on these tools will account for 75 percent of all spending on security software, IDC said. Security hardware revenues meanwhile will reach $14 billion this year driven mainly by surging demand for unified threat management and user behavior analytics systems.

Much of the growth in security investments appears to be driven by fear. "Today's security climate is such that enterprises fear becoming victims of the next major cyberattack or cyber extortion," said Sean Pike, vice president of security products at IDC. "As a result, security has become heavily scrutinized by boards of directors demanding that security budgets are used wisely and solutions operate at peak efficiency.”

IDCs estimate for information security spending is actually slightly lower than Gartner’s forecast for 2016. According to Gartner, worldwide cybersecurity spending will top $81 billion this year or about 10 percent higher than the IDC estimate.

IT outsourcing and consulting are currently the two areas where organizations currently spend the most on security. Through the end of 2020, the highest growth will come from data loss prevention technologies, security testing products, and IT outsourcing, Gartner has predicted.

The analyst firm expects security spending to become increasingly service-oriented as organizations that are facing staffing and talent issues turn to third parties for help.

The apparent willingness by organizations to spend more on information security should remove some of the constraints that many executives claim have held them back from a better security posture.

But the fact that so many organizations continue to get hacked amid all the increased investment suggests an implementation disconnect, said Ilia Kolochenko, CEO and founder of web security firm High-Tech Bridge.

“Something is wrong here,” he said in a statement. “We cannot continuously increase our cybersecurity budget and get instantly and more frequently hacked in parallel.”

What the trend shows is that spending more does not mean spending better. Often for instance, an organization might invest in a security product because it worked for someone else. That is a mistake, he says in separate comments to Dark Reading.  “A solution that is successfully mitigating threats at [the] largest banks may be inappropriate for insurance firms, governments or SMBs.”

For all the money invested today in security, everything is effectively hacked all the time, says Jeremiah Grossman, head of security strategy at SentinelOne pointing to recent breaches at the NSA, DNC, OPM and, multiple retailers.

“Will the extra $27 billion turn things around? I doubt any security professional would bet on that outcome,” he says.

Grossman believes the only way to turn things around is by changing the incentives around cybersecurity. “The only thing I see that’s capable of turning things around is cyber-insurance, security vendors offering product warrantees, and new software liability regulations,” he says. “In infosec, we’re less dealing with an awareness issue anymore and more of economics incentives issue.”

Related stories: