CISOs are being asked to do a lot more with less as their businesses are going all-in on new digital businesses that demand identity-based security while keeping budgets tight for securing infrastructure against attacks.
Cybersecurity budgets are, on average, just 5.7% of IT annual spending. That’s tight for many security teams. CISOs are rising to the challenge, however, and delivering revenue gains by protecting new digital businesses while keeping infrastructure safe. Achieving that is a quick way for CISOs to advance their careers.
Cybersecurity needs funding to match its business growth potential
The good news is that more CEOs and boards see cybersecurity as a business enabler. The challenge for CISOs, however, is that cybersecurity still gets funded purely for its defensive value – not its upside potential to drive growth.
Many security teams struggle to make ends meet in their budgets while still staying responsive to internal teams’ needs. Forrester’s 2024 Cybersecurity Benchmarks Global Report shows just how tight budgets can get for a CISO and their team. Project-related work and incident management are a constant balancing act for security teams, and keeping them both in check is key to staying under budget.
Top Ten Insights
Cybersecurity budgets are on the low side compared to the growing complexity of threats and risks organizations face.
That’s forcing CISOs to be selective about what they spend on and how they allocate limited resources. Add to that the average spend of $1,070 per enterprise user and $157,000 per cybersecurity employee, and cybersecurity teams have little, if any, room for inefficiencies.
The following are the top ten insights from Forrester’s latest cybersecurity benchmark report:
- CISOs need to move out of the IT organization and report to their CEOs and board of directors to have a chance at a more realistic budget. Forrester finds that cybersecurity budgets increase when CISOs report directly to the CEO or board of directors. CISOs who can articulate the business value of cybersecurity, demonstrating how it can drive revenue and support strategic goals, are more likely to secure the necessary funding. This shift also reflects a growing recognition of cybersecurity’s strategic importance beyond mere IT operations.
- Software will dominate cybersecurity budgets in 2024. The report reveals that 35.9% of cybersecurity budgets globally are allocated to software. This trend is particularly pronounced in large enterprises with up to 74,999 employees, where 39.4% of the budget is dedicated to software. Smaller organizations, conversely, spend a higher percentage on outsourcing services due to limited in-house capabilities, which underscores the scalability challenges smaller firms face in maintaining robust cybersecurity defenses.
Source: Forrester 2024 Cybersecurity Benchmarks Global Report
- Cybersecurity spending per user keeps climbing, reaching $1,070. This is another budget constraint CISOs have to factor into their total operations plans for a given year. Forrester notes that “the cybersecurity spend per enterprise user ranges from an average of $947 at extra-large organizations (75,000 or more users) to $1,210 at small organizations (fewer than 10,000 users).
- Personnel costs consume 28% of the typical security budget. The report highlights that organizations are spending an average of $157,593 per cybersecurity employee. Full-time employees make up 73.5% of security teams, with the global average cost per contracted full-time equivalent (FTE) reaching $194,613. This significant expenditure on personnel underscores the critical role of skilled professionals in maintaining effective cybersecurity defenses.
- System Defense is the leading functional spend category in 2024. Forrester finds that 29% of functional spending is in System Defense alone. The funding levels approved for this category reflect the critical need to protect endpoints and mobile devices against increasingly sophisticated attacks. With adversaries innovating faster than enterprises can keep up, System Defense is a must-have to protect new digital businesses and infrastructure. The following graphic shows cybersecurity spending by functional domain.
- Identity and Access Management (IAM) takes up 21% of functional spending in the typical budget. Identity-driven attacks take many forms, from mass phishing to whale phishing, where senior executives of a company are targeted with tailored campaigns IAM also enhances operational efficiency and fraud reduction, making it a strategic investment for many organizations. Its broad applicability across both internal and customer-facing applications drives its substantial share of the cybersecurity budget.
- Security analytics and incident handling reach 13% and 14%, respectively. Forrester notes that each of these separate services accounts for a relatively low percentage of the overall cybersecurity budget. Still, most organizations combine spending on these two categories into “detection and response.” Both areas combined equal 26% of the overall security budget, on average.
- Getting compliance and governance right is a growing concern for many CISOs who are willing to spend their budget to stay in good standing with the SEC. The Security and Exchange Commission’s Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure adopted on July 26, 2023. The rules adopted by the SEC define a standardized process for cybersecurity disclosures for public companies. These rules require companies to disclose material cybersecurity incidents on Form 8-K or Form 6-K within four business days of determining the incident’s materiality. Additionally, companies must include cybersecurity risk management, strategy, and governance information in their annual reports (Forms 10-K and 20-F). The rules also mandate the use of Inline XBRL for tagging these disclosures.
- Incident handling is on average, 13.5% of a global cybersecurity budget. This category is the most unpredictable, as it deals with responding to intrusions and breaches that cannot be forecasted. Spending on incident handling varies by company size, with small organizations (fewer than 10,000 employees) aligning with the global average of 13.5%. Larger organizations tend to allocate slightly less, likely due to more extensive preventative measures and diversified cybersecurity resources.
- Privacy is core to customer trust today and gets funded, even in tough budgeting cycles. The two departments that use privacy-related solutions the most frequently are legal and marketing, which dedicate on average 12% of a cybersecurity budget to them. Forrester notes that this 12% figure is not the total privacy spend of an organization. Rather, the report says, “Data privacy spans multiple areas of the organization, including marketing and legal. Its share of the security budget doesn’t represent the total spending on privacy-related initiatives across the entire technology estate.
Balancing the scales of cybersecurity budgeting
The bottom line is that cybersecurity is a business decision and needs to be funded with that mindset. Organizations need to see the CISO role as a more board-level one so they can share their technology expertise in helping to manage risk.
It’s time for cybersecurity to be funded as a growth engine, not just one used for deterrence alone.
CISOs can balance the scales by looking for an opportunity to elevate their role to a CEO direct report and, ideally, be on the board to help guide their companies through an increasingly complex threat landscape.