Cybersecurity Budgets in 2024: What Tech and Security Pros Need to Know
This year’s RSA Conference, which took place in early May, served as a scorecard for how the cybersecurity industry performed in the first half of 2024, and as a handy guidepost for how the next six months are shaping up.
The consensus from experts and insiders who attended the San Francisco event is that three issues will likely drive the cybersecurity conversation over the rest of the year. Specifically, security budgets and the leaders who oversee them will continue to face pressure while organizations increase their artificial intelligence investments. At the same time, costs associated with data breaches and other cyber threats will continue to rise.
“While cybercrime and cyberattacks are on the rise, security budgets are not keeping pace. Worse yet, in many organizations, budgets are being reduced as a result of floundering business performance,” said Dave Gerry, CEO at Bugcrowd, which helps organizations crowdsource vulnerabilities.
With these confluences likely to affect the cybersecurity industry throughout the remainder of 2024—possibly into the early part of 2025, as well—tech and security professionals will need to adjust their skills and outlooks to stay ahead of the market, especially as the tech labor market remains volatile.
“The juxtaposition of the rising cost of data breaches and shrinking security budgets is having a significant impact on the marketplace, but also on the staff supporting the organizations who are facing the cuts,” said George Jones, CISO at Critical Start.
Several cybersecurity experts and industry insiders who attended this year’s RSA Conference shared with Dice their insights into these three factors—budgets, A.I. and breaches—and how they are shaping the industry, as well as what it means for how tech and cybersecurity pros need to view their career options over the next several months.
Budgets and the Effect on Cybersecurity
As cyber threats increased over the last 10 years (with businesses’ reputations rising and falling based on their response), cybersecurity budgets increased. That changed in 2022 and 2023 as inflation, interest rates and vendor consolidation took hold. The Wall Street Journal reported in September that the average growth in security budgets for 2023 was about 6 percent, although many security leaders noted their budgets stayed flat or were cut.
It’s a trend that’s sticking with security leaders under pressure to reduce their spending and consolidate vendors. At the same time, tech and security pros are tasked with protecting platforms and systems, including cloud and A.I. technologies that are increasingly used by enterprises.
“At this year’s RSA Conference, it became evident that achieving cyber resilience is not just a collective goal but a critical necessity, especially in light of ongoing budget constraints,” said Jagdish Mahapatra, chief revenue officer at security firm ColorTokens. “Engaging with our customers and partners, the recurring theme was the challenge of balancing limited security budgets with rising cyber incident costs. It’s clear that addressing these financial hurdles is essential to maintaining robust cybersecurity measures and avoiding even higher expenses from potential breaches.”
During these times of budget cuts and tightened spending, CISOs and their security teams need to demonstrate the business importance of their investments – whether it’s technology or people.
“Protecting the business is a CISO’s primary concern; however, in this macro environment, CISOs must continue to adapt to illustrate their value as a business enabler—furthering their mission of protecting their customers and their company,” Bugcrowd’s Gerry added. “In the coming decade, I suspect we’ll continue to see CISOs elevated to be peers to their business counterparts and continue to be viewed as enablers of revenue growth and protection, instead of a cost center.”
A.I. Investments Add Cyber Responsibilities
The entire cybersecurity industry has been inundated for nearly two years with product pitches and promises concerning A.I. and generative A.I. tools, software and platforms. While companies and even government agencies are eager to invest in A.I., there are concerns about the risks the technology poses to corporate infrastructures, networks and data, and how malicious actors are using it for their purposes.
Still, the market is continuing to grow, with IDC estimating generative A.I. spending will hit about $40 billion in 2024, and reach more than $150 billion in three years.
At the RSA Conference, experts noted that security teams are facing concerns about how to secure A.I. technologies that business departments are beginning to explore and deploy. At the same time, security leaders are drawing up plans to show how these platforms can automate many routine cybersecurity tasks.
“Embracing technology that amplifies IT and security teams’ capabilities enables them to stay ahead of threats despite budgetary constraints. The solution is not simply acquiring more tools or hiring more talent but a strategic shift towards a data-driven approach,” said Chris Morales, CISO at Netenrich.
In the years ahead, Morales and others see A.I. changing the skills needed within the cybersecurity field, but also fundamentally altering how tech pros approach security.
“This approach empowers IT and security professionals, unlocking greater value from existing investments while enhancing the work environment for security and operations teams,” Morales added. “Investing in A.I.-enabled security technologies and transforming the security operations center, CISOs, and CIOs in their organizations can create a resilient security posture that supports broader business objectives while addressing the root causes of security burnout.”
When speaking with cybersecurity practitioners at the show, Piyush Pandey, CEO of security firm Pathlock, noted that he recommends organizations take a risk-based approach that focuses on addressing vulnerabilities and threats that are having a direct effect on the business. From there, security teams can then deploy A.I.-based tools as needed.
“This often means investing in identity and application access controls, focusing first on core business applications that house critical and sensitive data,” Pandey noted. “This approach ensures that limited resources are allocated effectively to mitigate the most impactful risks. Incorporating automation and A.I.-driven capabilities into your access governance strategy can further mitigate the impact of budget cuts by enhancing the efficiency and effectiveness of security operations.”
Breaches and Cost: Major Concerns
As organizations look to invest more money into A.I., while also trimming or keeping cybersecurity budgets flat, the cost of responding to and mitigating data breaches and other threats continues to rise.
In 2023, IBM Security estimated that the cost of a data breach averaged $4.35 million for each incident, a 3 percent year-over-year increase. At the RSA Conference, several recent attacks illustrated how the costs associated with threats and breaches can spiral out of control:
The consequence of rising data breach costs is that, when combined with lower or flat cyber budgets and executive attention focused on A.I., organizations are less capable of dealing with vulnerabilities and threats. This not only affects tech pros but the workforce as a whole, since training and preparedness suffer, Critical Start’s Jones noted.
“The impact of shrinking cybersecurity budgets can lead to increased vulnerabilities in the organization and limited training and development of the workforce. The combination of these factors leads to a staff that is not up to date on the latest threats and defenses, and an organization that is at increased risk, increasing the chances of an exploit and leaving the organization more vulnerable to attacks,” Jones said. “When you put this with the rising cost of a data breach, which can include the direct and indirect financial costs, regulatory and compliance penalties, legal fees and litigation costs, and reputational damage, the impact can be catastrophic.”
One way to drive home the costs of data breaches and other threats is to ensure that security teams are depicting these incidents in business terms that allow the other parts of the organization, especially leadership and the C-Suite, to understand the consequences.
“Cybersecurity is a critical component of overall business resilience and trust. In addition, security burnout, an escalating issue in the cybersecurity community, has reached a crucial point, especially for security analysts and managers handling their organization’s security operations,” Morales said. “This burnout is primarily due to the increasing volume of security events and is further exacerbated by a skills shortage and the complexity of managing these newer threats.”