There's a clear leader when it comes to investment plans for this year, according to Red Hat's 2023 Tech Outlook report, with cybersecurity taking precedence over innovation as the top area of investment.
The need for cybersecurity investment was cited as a priority across a variety of technology categories including cloud infrastructure, big data and analytics, and automation, and 44% said that it was a top three funding priority -- a full eight points higher than the cloud infrastructure option.
Network security and cloud security were the top two funding priorities, according to the report, which surveyed 1,703 IT leaders worldwide.
In addition, roughly three-quarters of respondents said they “somewhat increased” or “significantly increased” their investments in securing access by applications to other applications or data sources, or both, this year.
Security Investments Aren't Optional
Red Hat technology evangelist Gordon Haff says in some respects, security investment decisions are probably not that different from other IT investment priorities, but where security differs a bit is that many security investments aren't optional.
“They're not about delivering a somewhat better experience to customers or reducing friction for some internal workflow,” he says. “They're often about protecting the business against serious risks.”
Haff points out network security can be thought of as something in the vein of traditional security measures, noting a lot of this type of security relies heavily on traditional networking and networking security vendors.
“There are internal costs, too, of course, but network security -- and cloud security is closely related in many ways -- also relies heavily on writing checks to vendors,” he says.
Phil Neray, vice president of cyber defense strategy at CardinalOps, says the reason cybersecurity is still a top spending priority -- even in the face of current macroeconomic trends -- is that business leaders now recognize that cyber risk translates directly into business risk.
“That means CISOs should prioritize security investments that support the business -- such as cloud initiatives that can lead to new customers and revenue streams,” he says.
Neray adds people investments are also an essential part of the 2023 plan, because of the reliance on human innovation and creativity to defend against adversaries, who are also human actors and constantly adapting.
“At the same time, automation and data-driven analytics are also required to deal with the massive volume of telemetry we're collecting from all layers to quickly detect and respond to attacks,” he says.
Understanding the Risks, Planning the Costs
From the perspective of Shira Shamban, CEO at Solvo, making budget priorities and decisions is always a challenge, not only when talking about security.
“The difference is very often when planning a security budget there are lots of uncertainties and what ifs to consider, which are not directly correlated to ROI,” she says. “It’s hard to plan for a scenario you hope won’t happen, and if it thankfully doesn’t happen it is hard to quantify or be certain if it was thanks to the expensive products you purchased in foresight.”
Key to effective prioritization of security investments is understanding the risks, the “what if” and then adding the cost. “We need to identify the areas that make the biggest impact and protect them in the best way possible,” Shamban says. “Security is a game of risks.”
She adds that even with an unlimited budget, organizations don’t have an unlimited funnel of security employees. “Therefore, you need to put some budget into hiring, but a lot more into improving what you already have, meaning improving the skillset and integrating automations to scale,” Shamban says.
Security Talent in Short Supply
Dennis Monner, chief commercial officer at Aryaka, says he thinks what IT leaders are finding is that the talent that they really need on their teams is in short supply.
“The boundaries between the traditional, functional disciplines are getting fuzzy, requiring a new breed of security professional,” he explains. “The cloud team needs to understand the network. The network team needs to understand security. It’s driving them to rethink their investment and hiring strategy.”
He adds recruiting, training, and retention all takes real dollars from the budget that could potentially be deployed in services that guarantee performance.
“You can only outsource security to a certain degree,” Haff cautions. “Even if you're 100% in a public cloud, you're still largely responsible for your own application security, as well as your internal access and authentication procedures.”
While a cloud provider can implement all manner of security tech and processes if you don't control who has access, those won't do much good.
“It was somewhat disappointing that, although our survey generally showed investments in people was a high priority, ‘hiring security or compliance staff’ was one of the lowest security funding priorities,” he adds.
CISOs Must Prioritize Security Investments
Monner says now more than ever, the CISO is a business enabler and investing in the tools, policies, vendors, and people that help achieve those business objectives should always be the foundation for any investment decision.
“For the CISO, the key to effective security investment prioritization is a solid understanding of what the business wants to achieve,” he says. “Too often, CISOs force a security model that was built for a different enterprise.”
Haff says the key to effective prioritization of security investments is determining what is essential to keeping the lights on.
“In this case it means, to a large degree, keeping customer and company data safe,” he says. “Data breaches can be both very expensive directly and destroy the trust customers have placed in the company.”
He adds that CISOs also must be aware of new threats rather than just setting priorities the same as they've always done.
Haff said it was troubling to see “third-party or supply-chain risk management” remained the lowest security funding priority this year.
“This was in spite of well-known vulnerabilities like that in Log4j and considerable attention being paid to the problem by governments, including the US federal executive branch,” he says.