Companies increased spending on cybersecurity before the shift to remote work during the coronavirus pandemic, with more budget spent on identity and access management, cyber monitoring, endpoint security, and network security, according to a study released by consulting giant Deloitte and the Financial Services Information Sharing and Analysis Center (FS-ISAC).
Three major trends — digital transformation of businesses, remote work, and the shift to more partners and contractors — had already resulted in the lines blurring between the inside-the-office and remote worker, imparting momentum to the adoption of zero-trust principles, the report says. The trends have led companies to spend more per employee on cybersecurity in 2019 — 10.9% of their IT budget, or about US$2,700 on average per employee, up from US$2,300 for the prior year.
While the impact of the coronavirus pandemic has made cybersecurity budgets unpredictable, the shift to remote work will likely cause some changes in focus for cybersecurity budgets, but not necessarily the overall amount, says Julie Bernard, principal and lead of the cyber-strategic risk advisory team at consultancy Deloitte.
"I don't know that the actual dollar amount is going to change that much," she says. "I think that perhaps instead of some expansive program that some CISOs had wanted to take on — they will have to get more practical and tactical in the next several months."
While the business environment has changed because of the coronavirus pandemic, many of the challenges that face companies remain the same, according to the study. The top two challenges for business are the complexity of today's IT environments and a lack of skilled cybersecurity professionals.
Meanwhile, their top security priorities are access control, protective technologies, and data security. Identity and access management (IAM) jumped up in the latest report to the top priority, up from the No. 2 spot in the previous two years. Budget assigned to procure identity and access management has steadily grown over the years, as a share of the overall cybersecurity budget, the companies found. In 2018, the average company used 11% of the cybersecurity budget on IAM, which grew to 14% in 2019 and 16% in 2020.
Data security technologies have also crept up in priority for the past three years, to land at the No. 3 spot this year, the report says.
"Some of the focus on data security is regulatory," Bernard says. "But I think that also data security becomes more important as you move to the cloud."
The study of corporate cybersecurity budgets used three metrics to measure expenditures: cybersecurity costs compared with total corporate revenue, costs as a percentage of IT budget, and costs per full-time employee. All three measures of cybersecurity expenses rose in 2019, according to the study.
Cybersecurity budgets as a percentage of corporate revenue rose to an average of 0.48%, up from 0.34%. As a percentage of the IT budget, cybersecurity rose to 10.9% in 2019, up from 10.1% in 2018. And, as measured per employee, cybersecurity rose to $2,691 per full-time worker in 2019, up from $2,337 the prior year.
Financial firms spend the most on cybersecurity, as a share of employee cost. The average financial utility firm spent US$4,375 in 2020, up from $3,630 in the prior year. The amount represents about 0.8% of company's revenue, the highest percentage among the industries tracked in the report.
Companies typically spend anywhere from 7.2% to 15.2% of their IT budgets on cybersecurity in any given year, the report says.
"It is rare that I find any company that is spending so little that it seems that they are derelict," she says. "Everyone is trying to get that portion right. And one of the reasons that we embarked on this study, we see the cyber spend on IT spend a lot, because people use it as a metric."
- Zero-Trust Efforts Rise with the Tide of Remote Working
- Don't Slow Cybersecurity Spending: Steer into the Skid with a Tight Business Plan
- DevSecOps Requires a Different Approach to Security
- Attack Surface Area Larger Than Most Businesses Believe
- The Threat from the Internet—and What Your Organization Can Do About It