The Economic Shutdown’s Impact on Security Budgets
Cybersecurity spending, even if only driven by industry and government regulatory compliance mandates, has proven itself to be relatively resilient through previous downturns. Will this downturn prove different?
Toward the end of March, S&P Global Ratings cut its global GDP growth from 2.8% to as low as 1%, and research firm IDC predicted that IT spending growth, year over year, would drop from an anticipated 5.1% to perhaps 1.3%. There’s more in our DevOps.com story, “Coronavirus Economic Shutdown: Analysts Hit the Brakes on Global IT Spending Estimates.”
“We expect cuts to budgets where company revenues have dropped steeply. However, we have not yet seen customers with critical infrastructure cut security budgets. What we have seen is a rapid change in focus to supporting and securing a remote workforce and more online activities,” said Cary Wright, VP of product management at network monitoring company Endace.
According to a recently released forecast from the research firm MarketandMarkets, the global cybersecurity market is expected to grow to $230 billion by 2021 from about $183 billion in 2019, with the fastest growth rate to be within the endpoint security market.
Despite the anticipated overall growth rate, areas of security are likely to contract, especially with the increased focus on security endpoints, remote workers and cloud services, most products and services associated with on-premises data centers will see a reduction. And, to cut costs, many expect security teams to consolidate the number of security vendors they use where possible.
As Bill Ruckelshaus, CFO at ExtraHop explained, it’s tempting to view cybersecurity as recession-resistant, and as an indispensable cost of doing business. This is because over the past decade or so, Ruckelshaus said, most security programs had the necessary funding to add new tools and even retain legacy tools under the guise of risk management. “There’s a fear that turning tools off may create gaps and vulnerabilities. This new economic slowdown is going to change that calculus. Tighter budgets will ripple down to security, and finally cause us to pull the plug on legacy security tools in favor of a refined group of tools better designed to handle advanced threats,” he said.
“Organizations will need to take a critical look at the number of security vendors within their ecosystem to identify overlap,” Ruckelshaus continued. “The prevailing technology will be those that effectively work together within an organization’s ecosystem to strengthen core security.”
Of course, as tech spending declines broadly, so will tightly associated security spending. “Security budgets are being impacted by both the COVID-19 pandemic and budget cuts in several ways,” said Bob Layton, chief revenue officer at Digital Defense. “IT budgets are based upon a percentage of revenue, and corporate forecasts are unclear right now. The work from home necessity is re-prioritizing IT budget dollars toward infrastructure purchases to just keep running, and evaluation of public and private clouds for simple connectivity and scale are hot discussion topics.”
He added that while enterprises have focused on the end user experience when it comes to working from home, security has slipped in priority, but not far and not for too long. “[Our] channel checks and surveying of our top customers tell us security is still a priority and spending is steady. However, the immediate priority is responding to home workers. Once the workforce gets productive in the present environment, security will rocket right back to the top. This is likely a mid-quarter 2 bounce to watch for,” he said.
Patrick Hubbard, “head geek” at SolarWinds, said there was a time when security budgets always seemed to be last in line for funding, especially when overall spending was cut. However, today, that’s unlikely. “The number of threats, attackers and real damage to business make security no less fundamental in a downturn than keeping power on in the data center,” Hubbard said. “Businesses will have enough challenges ramping back up without [also] recovering from a critical breach.”
He shared an analogy from his current city, Austin, Texas. “Most of the trendy downtown bars and restaurants boarded up their windows with plywood, which was, of course, then covered with inspirational street art. Some might say that’s overkill and unnecessary, with no patrons on the deserted streets. But in reality, it’s affordable peace of mind and an effective deterrent. It allows the owners to focus on saving their businesses and surviving the crisis knowing their facilities will be ready to go day one,” he said. “Security in a downturn is the same. It’s a relatively small part of the overall budget and assures you will be quick out of the gate when the slowdown ends.”