Forrester: CISO Budgets Not Immune to Cuts

With looming pullbacks in enterprise technology budgets—including, potentially, security budgets—despite rising digital attacks, regulatory pressure, increasing enterprise business-technology architectural complexity and a shortage of staff with specialized cybersecurity skills, CISOs and their peers are heading into one of the most challenging times they’ve faced.

Still, a new report from Forrester Research warned that CISOs mustn’t pull back spending on critical areas. “And while business leaders are far less likely to target security investments during economic downturns, it would be unwise for security and risk leaders not to join their IT counterparts to assess their spending across the board to ensure maximum value,” the Forrester Planning Guide 2023: Security & Risk stated.

Forrester advised security leaders to continue to spend on security controls that protect customer-facing and revenue-producing workloads. Forrester also recommended budgets that support modernization efforts, such as cloud and zero-trust, be defended against cutbacks.

While Forrester advised enterprises to continue investing in security defenses that will help with those modernization efforts, such as API security, bot management, cloud workload security, zero-trust network access, security analytics and more, there are areas the market research firm did suggest enterprises look to cut or avoid when it comes to security spending.

“In healthy or tough economic times, it’s always a good idea to decrease investment in standalone solutions and legacy on-premises security controls,” the report advised. Forrester recommended decreasing or avoiding investment in existing budget categories, such as standalone data loss prevention, standalone user behavioral analytics, managed security services providers and other legacy and potentially duplicative areas. “Over time, MSSPs devolved into alert factories sending templated emails about alerts to clients that failed to provide context or accelerate decision-making. As MSSPs wane, swap those investments to managed detection and response (MDR) or security operations center-as-a-service (SOCaaS) providers,” Forrester advised.

There are areas where Forrester did recommend security and risk professionals strongly consider funding security experimentation as well as proof-of-concept deployments even given the economic downturn. Areas where Forrester believed this made sense include software supply chain security, extended detection and response capabilities, attack surface management and breach and attack simulation and privacy-preserving technologies.

Thanks to the eager adoption of AI-driven technologies, interest and investment in privacy-preserving technologies are rising as data privacy fears are one of the primary barriers to enterprise AI adoption. “For AI-driven, advanced analytics use cases that hinge on data sharing across multiple parties, these concerns are even greater,” said Forrester. Privacy-preserving technologies include homomorphic encryption, multi-party computation and federated privacy. [Privacy-preserving technologies] enable “organizations to protect customers’ and employees’ data while processing it, such as when exploring personal data to build data models for AI or sharing sensitive personal data across the organization for analytics projects. PPTs promise to unleash the potential of high-performance AI models while satisfying privacy, ethics and other regulatory requirements,” Forrester stated.

Whether the presumed economic downturn is as sharp as some predict remains to be seen, but it’s a good idea for CISOs to be ready just in case.