Enterprise Security Spending Findings

The IDG Security Priorities Study Exploring the security projects organizations yields significant Enterprise Security Spending Findings and they are summarized below.

Worldwide spending on information security products and services will reach over $114B in 2018, an increase of 12% from last year, according to the latest forecast from leading research firm Gartner. The firm is also forecasting that the market will to grow 8.7% to $124B. It compares with a figure of $102B for 2017.

It’s estimated estimated that revenue for the information security market may grow at a compound annual growth rate (CAGR) of 7.8% from 2017 through 2022 and reach $143B in constant currency terms.

As a percentage the level of spending on Security Services forecast by Gartner will account for 52% of the total global security spending by segment in 2019 – at $64B out of $124B overall. And, if the estimates are correct the percentage change between 2017 and 2019 for the segment will equate to 23% and almost nudging a $12B gain over this period.

Enterprise Security Spending Findings – Key Takeaways

  • Fully half of respondents expect their security budget to grow in the next twelve months, while another 46% say theirs will remain flat versus last year.
  • The mix of their spending appears to be shifting gradually more toward operational expenses
  • Over the past two year, more respondents have seen an increase in OpEx (43%) than in Capex (34%), presumably reflecting the emergence of more as-a-Service options for security tools
  • Considering the speed of growth for overall IT cloud services — as one data point, Amazon Web Services revenue increased 41% year-over-year in the first quarter of 2019 — it could be argued that security is moving slowly in this regard

Security Spending Findings -Increase in Overall Security Spending

What is behind the increase in overall spending?

The threat scape is dynamic, and large-scale data breaches continue to hit the headlines. 2019 thus far has seen news such as an estimated 885 million record breach at First American Corporation.  Now, survey respondents indicate that news-driven security prioritization is relatively less common in their organizations. Instead, the biggest drivers by far are best practices (73%) and compliance mandates (66%).  Both of these answers have often-debated drawbacks. Experts note that even well-established best practice frameworks from NIST and COBIT are limited and organizations can struggle to implement their directives in each unique context, and with the greatest possible effect.

Compliance as a driver of budget and priorities is perhaps even more problematic.  Survey respondents listed compliance mandates as one of their biggest distractions from executing more strategic security plans.

Enterprise Security Spending Findings – Priorities for Security Spending

Factors that determine the priority of security spending:

  • Best Practices, 73%
  • Compliance Mandates, 66%
  • Responding to security incident that happened in the organization, 39%
  • Mandates from the BOD, 33%
  • Responding to a security incident that happened in another organization, 28%
  • Responding to a security incident that happened in a business partner organization 27%
  • Partner Mandates 24%

Enterprise Security Findings – Top Security Priorities

Top priorities for the coming year:

  • Improve the protection of confidential and sensitive data 59%
  • Increase awareness programs and staff trainings 44%
  • Upgrade IT and data security to boost corporate resiliency 39%
  • Improve understanding of external threats 34%
  • Better leverage data and analytics 24%
  • Reduce complexity of IT security infrastructure 22%
  • Improve understanding of potential internal/insider threats 20%


Security Findings – Security Reporting Structure

Who’s In Charge?

For years, some experts in the security field have championed reporting outside of the IT organization. One argument is that the security department needs independence from the CIO to make sure necessary controls, which can sometimes slow business systems and processes, are nevertheless put in place. Another argument is simply that reporting to the CEO shows that the business takes risk seriously.

This year’s survey results show that more than two-thirds of responding organizations (69%) have a CSO, CISO or other designated top security leader.

Of those leaders, 31% report to the CIO, while 29% report to either the CEO or the Board of Directors. Predictably, titles rise with company size.

Breakout data shows that large enterprises are more likely to have a top security executive than small or mid-market organizations. Turnover at the CISO level is often attributed to the difficulty of the job and the likelihood of this executive suffering the consequences of a data breach. However, this survey’s results show another side of turnover: high demand for skilled leaders. Nearly one quarter of respondents said they have been approached about other security jobs six times or more during the past 12 months

Security Spending – Security Technology & Processes

Technologies and Processes — More of the Same?

A certain set of familiar security technologies have achieved wide adoption. The following technologies scored the highest level of in-use (either in production or being upgraded) among respondents:

  • Anti-virus/malware (83%)
  • Firewalls (82%)
  • Endpoint protection (76%)
  • Patch management (73%)
  • Security education/awareness training (72%)

Security Spending Findings – Security Projects Actively Researched

This year’s data finds that organizations are actively researching:

  • Zero trust technologies (47%)
  • Deception technology (40%)
  • Behavior monitoring & analysis (39%)
  • Cloud data protection (38%)

Last year’s results showed more interest around blockchain (58%), while this year only 50% of respondents are interested in the technology. The challenge is that the ever-evolving threats create an arms race for security professionals — and simply buying more of the same kinds of tools may not let them keep up. As more digital business processes come online and more data flows through these companies, real innovation in security is necessary. That includes not only technology innovation, but also new thinking, processes, organizations, and more.

Enterprise Security Spending – Where Enterprise Security Projects Fall Short

Respondents indicate a number of areas where they feel their security program falls short.

Factors include:

  • Failure to address security during application development (35%)
  • Inadequate employee training and awareness (31%)
  • Lack of involvement prior to implementing new technologies (30%)
  • Lack of proactive strategy (27%)
  • Inadequate communication between security and lines of business (27%)

Enterprise Security Spending Findings – What Are Hot Enterprise Security Projects?

This year’s data finds that organizations are:

  • Actively researching zero trust technologies (47%)
  • Deception technology (40%)
  • Behavior monitoring & analysis (39%)
  • Cloud data protection (38%)


Additional Go to Market Resources From Four Quadrant

CIOs Are Driving Digital Investments >>

CIOs Guide to Data Analytics Investments >>

IT Technology Spending Forecast Details >>

Selling to the CIO  >>

CIO Investments in Tech >>

Free GTM Downloads >>

Strategic Account Planning Template >>

Go to Market Strategy Planning Template >>

Go to Market Planning Examples

No comments yet.

Leave a Reply