Security investments sustain, but shift in a tight economy

In a tightening economy, many companies pause to rethink and reallocate investments. They sometimes delay big transformational initiatives in favor of smaller projects with nearer-term ROI. They can pause hiring or cut headcount, asking employees to take on more or reallocate their focus. They do what they can to cut unnecessary spending, and wring as much productivity and efficiency as they can from existing systems and investments.

However, one area that’s more resilient to cuts than others during a recession is security. Here’s why.

First, bad actors don’t care that the economy is slowing. The opposite is true – it represents an opportunity – either for monetary or geopolitical gain – to rob the bank when the security guard is out to lunch.

Second, the risk of security breaches is increasing – both in impact and visibility. A data breach can destroy both revenue and brand reputation, not just for large, well-known companies but for smaller companies as well. And small businesses are increasingly being targeted for ransomware and other attacks, especially those that play a critical role in supply chains or infrastructure.

The Strengthening American Cybersecurity Act, signed into law in March, aims to increase security across both the private and public sectors, but it also places additional reporting and disclosure requirements on companies. These requirements, and the ability to detect and respond to threats quickly, has made security a top level business priority… and a legal requirement. According to a 2021 Gartner survey, 88 percent of Boards of Directors now view cybersecurity as a business risk, as opposed to a technology risk.

In a tight economy, security is the exact opposite of unnecessary spend – it’s becoming more necessary by the day. However, the areas in which companies invest is likely to shift.

The shift from products to people

Companies have invested significantly in security over the last few years, driven by many of the forces above, along with the near-overnight move to remote work during the pandemic. While these investments have improved the security posture for companies in some ways, it has also led to security sprawl with companies operating and maintaining dozens (if not hundreds) of different systems.

Security sprawl is difficult to integrate and costly to manage — especially at a time when companies can’t find the skilled experts they need to oversee these systems. Technology helps automate some aspects of security, but it takes people to design, implement, integrate, manage, monitor and evolve these systems.

Unfortunately, people with specialized security skills are becoming harder to find and more expensive to train and retain. According to the 2021 (ISC)2 Cybersecurity Workforce Study, North America already has a security talent shortage of about 402,000 people, and it’s likely to get worse. According to the study, the cybersecurity workforce needs to grow 65% to effectively defend organizations’ critical assets.

This imbalance between supply and demand is one reason businesses are turning to Managed Security Service Providers (MSSPs), and we expect that trend will continue. According to Gartner, MSS revenue reached nearly $14 billion in 2021, growing 9.8% compared to 8.3% in 2020.  Over the next 12 months, nearly 70% of IT security teams plan to outsource to a Managed Service Provider (MSP) or Managed Security Service Provider (MSSP).

We believe this increase in people-based security spending will continue as companies look to increase their security posture while, at the same time, lowering costs and rationalizing product sprawl.

The shift from ground to cloud

The shift from product to people-based investments isn’t the only change happening in the next 12-18 months. While early security investments focused on protecting on-premise systems that housed sensitive data and ran critical business processes, more and more of those investments are moving to security systems and devices that companies don’t necessarily “own”.

According to studies like this one from Equinex, nearly half of IT infrastructure currently runs on the cloud and the vast majority of companies (70%) have made cloud migration a top priority. This move to the cloud has forced vendors and companies alike to adjust their approach to securing systems, data and people. New architectures, new technology and new skills are needed to adapt to a rapidly changing business, tech and threat environment. 

The move to zero trust security is just one example of how businesses are modifying their security architectures. In the cloud’s third wave, zero trust has evolved from a vague concept to a preferred security framework. In June 2022, the Cloud Security Alliance released data that says 80% of C-suite executives have prioritized zero trust in their organizations and 77% are increasing their spending on zero trust over the next 12 months.

Zero trust requires different skills and technology than many companies currently possess. For example, it requires specific capabilities around identity management. This has benefited companies like Okta, a vendor on the Tercera 30 as well as services firms like BeyondID, a Managed Identity Security Service Provider (disclosure: a Tercera-funded company), which has doubled revenue over the past year by helping organizations modernize their approach to identity management in a cloud-first world.

Data and endpoint protection is another area where investments and technology will continue to evolve and consolidate. By the end of 2023, Gartner expects 95% of Endpoint Protection Platforms to be cloud-based. Tanium, another Tercera 30 vendor, has seen tremendous growth over the last few years with its Endpoint Protection Platform (EPP) that helps organizations protect, detect and respond to threats across both on-premise and cloud-based systems.

The bottom line is this – in a tight economy, companies will continue to spend on security because they have to. The drive for digital transformation, and the evolving threat and regulatory environment, demand it. But that spend will shift into different areas in which companies are exposed. Whether they are vulnerable because they don’t have the right people and capabilities in place, or because they have dated systems that don’t support a broadening attack surface, security is no longer discretionary spend.