Security spending remains strong in '22

What’s your security budget look like in 2022? Chances are, it’s as good or better than it was in 2021, according to the 2021 Security Priorities Study by IDG’s CSO.com.

This is because, according to the report, nine out of ten security leaders say they are falling behind when it comes to addressing cyber risk. As a result, “some are doubling security budgets, more are investing in new infrastructure, and most are outsourcing more security functions than ever.”

Rebecca Wynn, global CISO and privacy and risk officer consultant at outsourcing firm Click Solutions Group says the increase in spending may be related in part to the change in working habits during Covid-19. During 2020 about half of all U.S. businesses moved to or accelerated their remote work options, according to the U.S. Bureau of Labor Statistics. Companies were so focused on getting employees up and running on technology at home and supporting them with systems, software, and services that compliance and auditing took a back seat.

“People had to do a quick lift-and-shift in the fourth quarter of 2019 and early 2020 and things like HIPPA, telehealth, PCI audits got to be a little lax. Now that we’ve come into 2022 we have companies realizing that, ‘Hey, we haven’t had a HIPPA assessment, a business continuity assessment, IR, DR, looking at our legacy systems, doing cybersecurity training. What do we do now?” For many, the answer is outsource some of their security functions in an effort to catch up. According to the CSO.com study, organizations are already outsourcing evaluation services such as pen testing, risk assessments and security audits, which comprises about 27% of security spending. The bulk of the security budget, however, will go to on prem work. Security executives reported they are spending 20% of their budgets on on-premises infrastructure and equipment, and another 20 percent on skilled staff. Security awareness training will garner 7% of the IT security budget, according to the report. We spoke to a group of security leaders at midsized companies to see where their spending is allocated for the coming year. Here’s what they said.

Ben Nelson, CISO at FICO, a data analytics company focused on credit reporting

“It’s no surprise that in 2022, organizations will continue to utilize customer information to help create impactful and successful interactions. All the while, attackers get more sophisticated at compromising security fundamentals in an environment where security talent is being spread very thin. Security investments, like continued diligence on patching and vulnerability management, are crucial for organizations as a means to protect business interactions, and to demonstrate to customers that their data is respected and their vendors can be trusted.

Patching and vulnerability management, as well as the ever-present supply chain security complexity, continue to be key investments in 2022 to strengthen customer, partner, and vendor relationships. As digital transformation evolves to become a necessity rather than a nicety, the amount of data organizations collect, produce, analyze, and share grows exponentially.

There’s the saying that anything that can go wrong will. That may feel dramatic to say out loud, but it’s certainly a saying that should drive how we prioritize and act.  While organizations should make any and all reasonable security investments they can to prevent issues, it is also critical to invest in security response maturity.  When something does go wrong, there is a heightened need for clear and robust protocols in place to mitigate additional risk quickly and safely for all parties involved.

Lastly, and probably most importantly, is a focus on investing in security talent.  As the need for better security rises, so does the need for great talent to identify areas of risk, innovate solutions, and invest in the success of our businesses, through security. Growing our existing talent and finding interesting opportunities to attract new talent, remain a top priority and investment in 2022.

Sanjay Macwan, CIO & CISO, Vonage, a telecommunications company

 At Vonage, our focus is security, privacy, trust, and compliance by design meaning that these tenets are built into everything we do, not as an afterthought. As such, we continue to invest in security tools, technologies, processes, and employee training to ensure security is embedded in the entire lifecycle of our software, infrastructure, and operations.

In 2022 we are making additional investments in software security to ensure our engineers are able to embed and test for security in every step of the software development lifecycle. Another area of ongoing investment is security of our cloud infrastructure - from zero trust security architecture to threat detection to incident response.

Dave Anderson, CISO at mParticle, a customer data platform provider

As far as 2022 investment, we're focusing heavily on process automation, identity and access management, and zero-trust.

Given tight budgets we need to automate as much of the manual work as possible so we're going to be acquiring tooling that will help us create workflows for common processes such as onboarding, offboarding, incident response, and other common IT and security tasks that have multiple steps.

For IAM we're planning on replacing our aging and less flexible solution that we have in place with a modern cloud-based solution that will provide us better integration with our vendors as well as better security. For zero-trust, we're moving away from the VPN as much as possible and using the employee's laptop as the trusted device, no longer depending up on being connected to a corporate network as the primary indicator of trust.

Matthew Sharp, CISO at Logicworks, a cloud computing management company

We are contemplating further investment in Application Security Posture Management (ASPM), SaaS Platform Management, and Attack Surface Management to take our security to the next level.  These investments will all help ensure the security of our Software Driven Cloud Management offerings and reinforce resilience in our Cloud Reliability Platform.

ASPM is an investment that we're looking to make to get tighter orchestration around the application security practices that we have internally. There are a lot of moving parts in app sec, and when you start to do infrastructure-as-code and then layer on applications into containerized and serverless environments, the attack surface gets pretty crazy and keeping up with the rate of deployment gets pretty difficult to keep track of unless you've got basically something automated on the back end.