Spiceworks State of IT Study: Security Spending Up

Technology is transforming everything in the workplace, and with that comes budget increases to pay for all these upgrades. According to Spiceworks’ “State of IT 2020” report, technology spending as a whole is $4 trillion a year, and 88% of respondents said they either plan to spend more or stay at the same levels.

A portion of that technology budget is earmarked for cybersecurity. Because of the rash of data breaches and the resurgence of ransomware, the need for better security is a big issue for an increasing number of companies. Security is now at the top of the mind for organizations, said Peter Tsai, senior technology analyst at Spiceworks, during our conversation at this year’s SpiceWorld conference.

And for good reason: Tsai told me that 25% of enterprises are spending more on security because of a recent security incident. Personal experience of a data breach or ransomware attack or malware infection provides a very different perspective of the importance of having a good cybersecurity system.

Upgrading and Replacing

Another driver for the increased spending on technology and on security is the need to replace and upgrade. Support for Windows 7 and Windows Server 2008 is scheduled to end in a few months, and if companies want to have a good security posture, they need an OS that offers regular security patches. Replacing soon-to-be-outdated software is one of those situations where technology spending and security spending intersect—and there’s no doubt Windows 7 upgrades is a real concern. I heard mentioned several times at SpiceWorld that nearly 8 in 10 companies still have at least one machine still running Windows 7. (During one session at SpiceWorld, people admitted to having devices running Windows 98 and more than a few reluctant hands went up when asked about XP. People do love those old systems, but they aren’t helping their company’s security posture.)

In fact, outdated infrastructure was noted by 65% of companies as the reason they were bumping up their technology budgets, while 47% of companies mentioned security spending increases. Clearly, organizations are finally seeing cybersecurity as an important technology purchase.

Where the Money Is Spent

Earlier this year, Spiceworks released another study, “The Future of Network and Endpoint Security,” which details where organizations are spending their security-related technology budget. As that report stated, “59 percent of IT decision makers agree that AI and machine learning technologies can help organizations better detect and respond to security threats.” While adoption of AI and ML is still low—only 18% are using AI-assisted threat intelligence platforms right now—the interest in onboarding those technologies is definitely there, with a rise to 30% expected by 2021.

Other emerging security technologies organizations are adopting include application sandboxing, behavioral analytics and application integrity protection.

How Companies Approach Security Spending

One part of the “State of IT 2020” report highlighted the purchasing process. What I learned is when it comes to security, it is a joint effort. Even though security only accounts for 7% of the overall technology budget, there are quite a few decision-makers involved in the process, from an average of three in a small business to 12 in a large enterprise. Purchasing is done in phases: first determining the need for security technology, then researching the different solutions available with reliability a prime concern, and finally vetting potential vendors. It’s a process that takes this team less than six months, but involves a lot of research and product comparisons.

Overall, there has been a clear shift in security awareness. IT professionals have long been acutely aware of cybersecurity risks, Tsai said, but now the rest of the world has caught up.

“We’ve been bombarded with security news,” he said. “It’s easier to convince the higher ups now of the need for it. Security is something regular people are talking about. Security is no longer a theoretical what if; it’s an actual experience companies are having so they are shifting toward prioritizing it.”

Sue Poremba

Avatar photo

Sue Poremba

Sue Poremba is freelance writer based in central Pennsylvania. She's been writing about cybersecurity and technology trends since 2008.

sue-poremba has 271 posts and counting.See all posts by sue-poremba