Security spending is not expected to slow much next year as organizations look to improve cloud defenses, rely more on MSSPs. Credit: Metamorworks / Getty Images Cybersecurity spending in the coming year may not be recession-proof, but it’s likely to be recession-resistant. Still, pressure remains on security leaders to prioritize technologies that generate the most bang for the buck. Forrester released a report Tuesday to help organizations do just that.“It’s hard to assess what 2023 budgets will look like because most companies are in their budget planning for 2023 now, but I think most companies are taking a cautious approach,” says Forrester Vice President and Research Director Merritt Maxim.“There might be some growth or flat, with the potential that if there is a more significant downturn next year, then spot cuts may be necessary,” Maxim continues. “For now, though, I don’t see any immediate slashing of budgets in anticipation of macroeconomic conditions.” Firms under-spending on cloud security, over-spending on on-premises securityThe report notes that one area where organizations may be under-spending is on cloud security. Given that 58% of organizations will have moved their application portfolios to a public cloud in the next two years, it says, security teams, while spending a notable amount on cloud security, aren’t spending enough given the percentage of workloads migrating to the cloud. They need to spend far more, it adds. On the other side of the ledger, the report maintains that organizations may be spending too much on on-premises security-related items. It found that when expenditures for maintenance, licensing, upgrades, and new investment are combined, on-premises spending is the largest expenditure in security budgets—41% for organizations that spend 20% or less of their IT budgets on security; 38% for those spending more than 20% of their IT budgets on security.“Even though there’s interest in getting as much in the cloud as possible, it may not be practical for some kinds of data,” explains Maxim, one of the authors of the report. “Certain on-premises tech may not have a suitable cloud equivalent, especially if it’s a custom app, so a migration path may not exist. There may also be security risk concerns.” Spending shift to managed security services providersThe report also forecasts that migration to the cloud won’t reduce spending on services by organizations. However, Forrester predicts that traditional spending on managed security services providers to shift to new offerings and new providers that offer better outcomes.“There’s a broad and deep ecosystem of service providers that can support any range of cybersecurity capabilities, much more so than there were five years ago,” says Maxim. “Organizations need to understand a service provider’s capabilities, and to what extent they have serviced companies in their industry or of their size.”Cutting security awareness training won’t save in the long termAn area tempting for cuts by budget makers, the report notes, is security awareness and other kinds of training. It’s tempting to cut spending in these areas when the economic picture darkens, but it won’t save much compared with other expenditures, it contends, and it will exacerbate the skills shortage and sacrifice the ability to instill trust just when borderless, anywhere work organizations need it most.“While humans may not be the primary culprit, they’re certainly one of the lead culprits in why attacks are successful,” Maxim observes. “Anything you can do to improve the vigilance and resilience of your users is going to benefit you. Where companies may have gotten misled is that doing a 30-minute video that users review once a year and calling it security training is an effective approach. Security behavior has to be embedded in the culture on an ongoing basis.” Related content how-to Download the hybrid cloud data protection enterprise buyer’s guide From the editors of our sister publication Network World, this enterprise buyer’s guide helps network and security IT staff understand the issues their organizations face around protecting corporate data in a hybrid cloud environment and how to By Neal Weinberg May 20, 2024 1 min Cloud Security Data and Information Security Enterprise Buyer’s Guides news analysis Global stability issues alter cyber threat landscape, ESET reports With conflict on the rise, regional APT groups are increasing activity, altering focus, and putting specific industries in their crosshairs. Here’s what CISOs should know. By Evan Schuman May 20, 2024 4 mins Advanced Persistent Threats Cyberattacks Threat and Vulnerability Management feature The inside story of Cyber Command’s creation Cartoons, Starbucks cards, and Hollywood storyboards: The ‘Four Horsemen of Cyber’ — CISA’s Jen Easterly, Lt. Gen. S.L. Davis, retired US Navy Vice Admiral T.J. White, and former NSA chief Paul Nakasone — revealed at RSA By Cynthia Brumfield May 20, 2024 8 mins Aerospace and Defense Industry CSO and CISO Military news analysis SEC rule for finance firms boosts disclosure requirements Amendments to Regulation S-P requires broker-dealers, investment companies, registered investment advisers, and transfer agents to disclose incidents to customers. By Evan Schuman May 17, 2024 5 mins Data Breach Financial Services Industry Data Privacy PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe