Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Cybersecurity Budget Rose in 2019, Uncertainty Prevails in 2020

Budgets rise as IT complexity continued to challenge companies, with identity and access management technology an increasingly common focus.

Companies increased spending on cybersecurity before the shift to remote work during the coronavirus pandemic, with more budget spent on identity and access management, cyber monitoring, endpoint security, and network security, according to a study released by consulting giant Deloitte and the Financial Services Information Sharing and Analysis Center (FS-ISAC). 

Three major trends — digital transformation of businesses, remote work, and the shift to more partners and contractors — had already resulted in the lines blurring between the inside-the-office and remote worker, imparting momentum to the adoption of zero-trust principles, the report says. The trends have led companies to spend more per employee on cybersecurity in 2019 — 10.9% of their IT budget, or about US$2,700 on average per employee, up from US$2,300 for the prior year.

While the impact of the coronavirus pandemic has made cybersecurity budgets unpredictable, the shift to remote work will likely cause some changes in focus for cybersecurity budgets, but not necessarily the overall amount, says Julie Bernard, principal and lead of the cyber-strategic risk advisory team at consultancy Deloitte.

"I don't know that the actual dollar amount is going to change that much," she says. "I think that perhaps instead of some expansive program that some CISOs had wanted to take on — they will have to get more practical and tactical in the next several months."

While the business environment has changed because of the coronavirus pandemic, many of the challenges that face companies remain the same, according to the study. The top two challenges for business are the complexity of today's IT environments and a lack of skilled cybersecurity professionals. 

Meanwhile, their top security priorities are access control, protective technologies, and data security. Identity and access management (IAM) jumped up in the latest report to the top priority, up from the No. 2 spot in the previous two years. Budget assigned to procure identity and access management has steadily grown over the years, as a share of the overall cybersecurity budget, the companies found. In 2018, the average company used 11% of the cybersecurity budget on IAM, which grew to 14% in 2019 and 16% in 2020.

Data security technologies have also crept up in priority for the past three years, to land at the No. 3 spot this year, the report says.

"Some of the focus on data security is regulatory," Bernard says. "But I think that also data security becomes more important as you move to the cloud."

The study of corporate cybersecurity budgets used three metrics to measure expenditures: cybersecurity costs compared with total corporate revenue, costs as a percentage of IT budget, and costs per full-time employee. All three measures of cybersecurity expenses rose in 2019, according to the study. 

Cybersecurity budgets as a percentage of corporate revenue rose to an average of 0.48%, up from 0.34%. As a percentage of the IT budget, cybersecurity rose to 10.9% in 2019, up from 10.1% in 2018. And, as measured per employee, cybersecurity rose to $2,691 per full-time worker in 2019, up from $2,337 the prior year.

Financial firms spend the most on cybersecurity, as a share of employee cost. The average financial utility firm spent US$4,375 in 2020, up from $3,630 in the prior year. The amount represents about 0.8% of company's revenue, the highest percentage among the industries tracked in the report. 

Companies typically spend anywhere from 7.2% to 15.2% of their IT budgets on cybersecurity in any given year, the report says.

"It is rare that I find any company that is spending so little that it seems that they are derelict," she says. "Everyone is trying to get that portion right. And one of the reasons that we embarked on this study, we see the cyber spend on IT spend a lot, because people use it as a metric."

Related Content:



Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...