Published on the 01/02/2023 | Written by Heather Wright

Less than half of companies say they have the budget needed to fully meet their current cybersecurity needs, with 11 percent reporting they have only enough budget to protect their most critical assets.

That’s according to a new survey of global IT and security professionals by the Neustar International Security Council (NISC), an ‘elite’ group of select cyber security leaders across key industries and companies.

“Cybersecurity deals are getting more scrutiny, suggesting deeper and longer reviews.”

The survey, conducted in December, suggests that the macroeconomic pressures coming to bear on companies are putting the squeeze on cybersecurity spend for some, with 35 percent saying their organisation’s cybersecurity budget would stay the same or decrease (six percent) this year.

While the majority of those surveyed by NISC believe the C-suite and board decision-makers do understand the current cyber risks, including recognising the importance of multi-layered defence strategies and the need to make protecting the organisation an ‘integral’ part of business operations, 44 percent say that stagnant cybersecurity budget will mean their business is more exposed and at risk.

The increased pressure on cybersecurity budgets was highlighted late last year during a Palo Alto Networks earnings call in November. Nikesh Arora, chairman and CEO of the security company, noted then that the company was seeing some ‘marginal signs’ of impact due to the uncertain economic times.

“Cybersecurity deals are getting more scrutiny, suggesting deeper and longer reviews of transformational project,” Arora said.

“While some deals have been sized down or broken into phases, we are experiencing few deal cancellations.”

That suggests that investments in the coming year are likely to be more tactical, with projects broken into smaller bites.

For tech and cybersecurity teams, the situation promises to compound the increased pressure they’ve been facing in recent years as companies turned to new digital initiatives, often in the face of skills shortages, while defending a growing attack surface from larger, more sophisticated attacks in an increasingly complex threat landscape, Carlos Morales, senior vice president of solutions at Neustar Security Services, says.

He says that’s likely to accelerate adoption of service based offerings which allow enterprises to flexibility scale up resources on demand.

Security services spend is by far the largest category of security spending across both Australia and New Zealand according to Gartner, though cloud security and application security are forecast to be the fastest growing segments in the year ahead.

Gartner’s 2023 security spend forecast saw both Australia and New Zealand recording accelerating increases for overall security spend – New Zealand up 10.3 percent (albeit off a somewhat tiny base) to NZ$948 million, and Australia up 11.1 percent to AU$6.95 billion. That compares with growth of 9.7 percent and 10.7 percent respectively in 2022 and slightly lower growth a year earlier for both countries.

Both countries recorded a number of high profile – and publicity garnering – breaches last year. For Australia in particular, 2022 may have been a pivotal year for cybersecurity, with high profile attacks on Optus, Medibank and Telstra bringing cybersecurity realities home to everyday Australians – and resulting in strengthened legislation carrying with it the threat of fines of $50 million, up to 30 percent of a company’s adjusted turnover during the relevant period, or three times the value of any benefit obtained through the misuse of information.

“The pandemic accelerated hybrid work and the shift to the cloud, challenging the CISO to secure an increasingly distributed enterprise, says Ruggero Contu, Gartner senior director analyst.

“The modern CISO needs to focus on an expanding attack surface created by digital transformation initiatives such as cloud adoption, IT/OT-IoT convergence, remote working and third-party infrastructure integration. Demand for technologies and services such as cloud security, application security zero trust network access and threat intelligence has been rising to tackle new vulnerabilities and risks arising from this exposure.”

But while budgets might not be looking as robust as many would hope, that wasn’t actually the greatest concern for those in the NISC survey. Instead, the most significant current risks to their organisation’s IT security posture was deemed to be the increased sophistication of attacks, for 60 percent of respondents. Increased activity by attackers (54 percent) came next, with budget constraints third, alongside larger attack surfaces from an increasingly borderless business operation (both 35 percent).