Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

IT Security Spending to Reach $96 Billion in 2018: Gartner

Gartner is predicting that worldwide security spend will reach $96 billion dollars in 2018. This is up 8% from the 2017 spend of $89 billion. Interestingly, the latest 2017 and 2018 figures show substantial increases over similar predictions made in August of this year. The earlier prediction has 2017 figures at $86.4 billion with 2018 figures at $93 billion.

Gartner is predicting that worldwide security spend will reach $96 billion dollars in 2018. This is up 8% from the 2017 spend of $89 billion. Interestingly, the latest 2017 and 2018 figures show substantial increases over similar predictions made in August of this year. The earlier prediction has 2017 figures at $86.4 billion with 2018 figures at $93 billion.

Gartner suggests that organizations are spending more on security as a result of regulations, shifting buyer mindset, awareness of emerging threats and the evolution to a digital business strategy. 

“Overall, a large portion of security spending is driven by an organization’s reaction toward security breaches as more high profile cyberattacks and data breaches affect organizations worldwide,” said Ruggero Contu, research director at Gartner. “Cyberattacks such as WannaCry and NotPetya, and most recently the Equifax breach, have a direct effect on security spend, because these types of attacks last up to three years.” 

A 2016 survey — that questioned 512 respondents from eight countries: Australia, Canada, France, Germany, India, Singapore, the U.K. and the U.S. — showed a direct link between security risks and security spend. Gartner believes that the breaches of 2017 will influence the spend in 2018. “As a result,” it suggests, “security testing, IT outsourcing and security information and event management (SIEM) will be among the fastest-growing security subsegments driving growth in the infrastructure protection and security services segments.”

This is likely to be bolstered by the effect of compliance concern. Regulations are increasing in number, scope, and the size of sanctions; and are getting personal. Europe’s General Data Protection Regulation (GDPR) coming into effect in May 2018 can impose fines of up to 4% of global turnover. In the U.S., the newly introduced Data Security and Breach Notification Act proposes jail terms of up to five years for those who fail to comply. As the effect of these regulations on individual business leaders as well as the company filter through — which can no longer be satisfied by a simple tick-box approach to security — there is likely to be a knee-jerk reaction leading to increased security spend.

Some of this effect can be discounted. “Regulatory compliance and data privacy have been stimulating spending on security during the past three years, in the US (with regulations such as the Health Insurance Portability and Accountability Act, National Institute of Standards and Technology, and Overseas Citizenship of India) but most recently in Europe around the General Data Protection Regulation coming into force on 28th May 2018, as well as in China with the Cybersecurity Law that came into effect in June 2016. These regulations translate into increased spending, particularly in data security tools, privileged access management and SIEM.”

However, since numerous surveys and analyses have demonstrated that many firms simply do not understand GDPR, are still far from being ready for GDPR, or don’t (yet) believe it applies to them, there is likely to be sudden increased spending following the first legal actions against non-compliance. Any belief that European regulators might allow a ‘bedding in’ period should not be taken for granted.

At the end of November, three European activists (Max Schrems, whose action against Facebook ultimately led to the collapse of the EU/US Safe Harbor agreement; Paul Nemitz, director for fundamental rights and Union citizenship in the European Commission’s Directorate-General for Justice; and Jan Philippe Albrecht, justice and home affairs spokesperson of the European Greens and the rapporteur for the GDPR) got together to announce ‘NOYB [none of your business] — European Center for Digital Rights’. 

Advertisement. Scroll to continue reading.

The purpose of NOYB is to close the gap between the public perception of privacy and the reality of corporate practice, including bringing cases to court. Since these are activists rather than regulators, they are likely to take private action where regulators may hesitate. In its August prediction, Gartner commented, “The EU General Data Protection Regulation (GDPR) has created renewed interest, and will drive 65 percent of data loss prevention buying decisions today through 2018.” This could prove to be a conservative estimate.

Skills shortages, technical complexity and the threat landscape will continue to drive the move to automation and outsourcing, says Gartner. “Skill sets are scarce and therefore remain at a premium, leading organizations to seek external help from security consultants, managed security service providers and outsourcers,” said Contu. “In 2018, spending on security outsourcing services will total $18.5 billion, an 11% increase from 2017. The IT outsourcing segment is the second-largest security spending segment after consulting.” 

This migration to service providers and outsourcers leads Gartner to predict that by 2019, total enterprise spending on security outsourcing services will be 75% of the spending on security software and hardware products, up from 63% in 2016. 

“For the most part, I agree with Gartner’s assessment that spending is likely to continue to grow overall in 2018,” Nathan Wenzler, chief security strategist at AsTech, told SecurityWeek; “especially in identifying that the overall skills shortage will ultimately drive more companies to spend more in security services.” 

He believes that companies are “reaching something of a saturation point for security software, as they’ve been spending for the last several years to buy products that can protect their environments in different ways.” But they don’t have and cannot get “experienced security professionals who can deploy, use and maintain those products effectively in order to put the tools to work. Organizations will have little choice but to shift their spending to services in order to secure their networks and protect critical data.”

But is ‘more spending’ necessarily ‘better security’? Ilia Kolochenko, CEO of High-Tech Bridge, warns that it isn’t necessarily so. He believes that a more coherent risk-based security approach could lead to improved security without necessarily increasing spend. “Many companies can even reduce their current budgets by implementing a risk-based approach to mitigate appropriate threats and vulnerabilities; and by rigorously selecting vendors based on technology and not marketing claims.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Security Infrastructure

Security vendor consolidation is picking up steam with good reason. Everyone wants to improve security efficiency and effectiveness while paying for less.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

Security Infrastructure

Instead of deploying new point products, CISOs should consider sourcing technologies from vendors that develop products designed to work together as part of a...

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Audits

The PCI Security Standards Council (SSC), the organization that oversees the Payment Card Industry Data Security Standard (PCI DSS), this week announced the release...

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture