It depends on whom you ask, but the weathervane of IT spend would seem to be spinning toward “up” for 2023, although major tech layoffs would suggest the winds are blowing the other way. How might this affect cybersecurity?
Last week, Gartner projected 2023 IT spend worldwide to tap out at $4.5 trillion, an increase of 2.4% from 2022. While the firm conceded that negative pressure from inflation actually cut the forecast growth from Gartner’s original 5.1% prediction, it said overall enterprise IT spending is expected to remain strong.
This aligns with a survey released last month by ESG Research of over 700 executives, more than half of whom said cybersecurity will drive increased IT spending this year. To respondents, cybersecurity is the most common justification that would lead management teams to approve and fund new IT projects. Some 83% of senior IT decision makers also said their organization would be more prepared to respond to a ransomware attack than it was 12 months ago.
In consensus with ESG’s research, a new study by the Neustar International Security Council found few organizations think they are keeping up with security challenges, and only half said they have sufficient budgets to meet their security needs.
Carlos Morales, senior vice president of solutions at Neustar Security Services, answers questions about how organizations should think about apportioning IT budgets and how to shore up cybersecurity needs. The following conversation has been edited for clarity.
Q&A with Carlos Morales of Neustar Security Services
With spending cuts possible, how can organizations keep security initiatives fueled and ready to go?
First, organizations should think very carefully about how they manage any cuts to spending. For instance, let’s say they want to reduce operating expenses by 10%. Applying that unilaterally across all departments and functions seems like a fair approach. From a leadership point of view, if you cut in certain groups and not others, it becomes a harder situation to manage effectively.
Why isn’t this a good approach?
Democratizing the cuts may make it easier to manage across the organization, but this approach doesn’t account for all the risks associated with those cuts. Cybersecurity is only one area driving risk, but it’s a big one, so any decision to cut from security budgets means there may not be a firm understanding of the risks associated with cybersecurity in the budget planning process.
SEE: What CISOs can do to be most effective in their roles
How should a CISO, specifically, handle having to do more with less?
Every organization is different, but I can say that when they’re asked to do more with less, many CISOs respond by top-leveling their risks — looking at only certain internet-facing, brand-impacting assets and focusing on those rather than taking a full inventory of all assets that could lead to risks, which is not an ideal long-term strategy.
Are they using third-party providers who can offer, if not a turnkey solution, at least let an organization offload cyberdefense?
Yes, they are increasingly turning to managed security providers that offer cloud-based security services that include a combination of technology, cloud deployment, operations, software lifecycle management, security and support. MSPs can inject the right capabilities when they’re needed, provide expertise to augment the resources available to the business, and scale flexibly to meet growth and budgetary needs while offering a flexible OpEx model that will help the company better control their expenses.
They remove many of the responsibilities of buying, deploying and managing technology, maintaining the infrastructure necessary to run the technology, hiring the appropriate personnel to manage it and then adapting to the ever-changing threat landscape. They can solve for function, scale and adaptability of solutions, and an increasing number of security providers offer platforms that stitch multiple services integrated together. That provides further opportunity for cost savings, as it allows businesses to consolidate vendors. Strong platform vendors feature sets of services that are complementary, tightly integrated together, adhere to industry best practices and have the necessary expertise to deliver on all parts of the solution.
The importance of cybersecurity
With 2023 likely to feature sophisticated threats as well as growing prevalence of attacks of all kinds, you may be looking to put some security arrows in your quiver both to improve your employability and bring skills to bear on your organization’s cybersecurity requirements. If so, check out this Ethical Hacking Bundle covering everything from Python 3 to NMAP.