General security

Cybersecurity budgeting and spending trends 2020: How does yours compare?

Rodika Tollefson
May 19, 2020 by
Rodika Tollefson

Cybersecurity spending grows

Protecting data and assets becomes more complicated as threats evolve. Cybersecurity budgets continue to grow every year, reflecting this complexity. Analyst data shows that spending on cybersecurity is not only growing, but also growing faster than IT spending overall.

Gartner has estimated that worldwide security spending grew 10.5% in 2019, compared to 0.4% growth in IT spending. The Enterprise Strategy Group (ESG) also found that the majority of organizations planned to increase their spending in 2020. Research published recently by ESG showed that 62% of surveyed organizations said they would increase their spending, and only 36% said they would keep budgets flat. Considering that cybersecurity is on top of the agenda for many executives, it’s likely that budgets will keep growing.

How much are companies spending on cybersecurity?

Cybersecurity budgets vary based on industry, company size, business model, risk appetite and various other criteria. But size isn’t necessarily a major factor in how much of the IT budget is dedicated to security. A CIO survey asked nearly 700 IT executives how much of their IT budget went to security, and the mean answer, regardless of company size, was 15%. 

As a rough benchmark, a Cisco Security report determined that 46% of midmarket organizations (with 250-999 employees) spent less than $250,000 in 2019, while 43% spent $250,000 to $999,000. For larger companies (1,000–9,999 employees), the most common spend was $250,000–$999,999, while large enterprises with more than 10,000 employees were more likely to spend over $1 million on their security programs.

What are the security spending priorities?

As new threats emerge, organizations change their security priorities accordingly. Digital transformation also plays a role, especially as organizations continue to shift infrastructure, workloads and applications to the cloud. 

Another factor that impacts security budget allocations is regulatory compliance. With new laws such as the European Union’s General Data Regulation Protection (GDPR) and the California Consumer Privacy Act (CCPA) bringing financial risk due to potential fines, compliance becomes a priority even for previously unregulated industries.

Based on a survey of 450 IT and security leaders, the five leading factors for cybersecurity spending in 2020 are:

  • Regulatory compliance (69% of responses)
  • Reducing incidents and breaches (59%)
  • Keeping up with the evolving threats (57%)
  • Maintaining reputation in the industry (43%)
  • Investigating and responding to events and incidents (40%)

Additionally, the survey found four factors that will disrupt security programs the most in the next 12 months:

  • Increased use of hybrid cloud and public cloud infrastructure-as-a-service
  • New threats from bad actors
  • Developing regulations for security and privacy
  • Talent recruitment and retention challenges

Growing priority: Securing the cloud infrastructure

Gartner forecast the cloud services market to grow 17% globally in 2020. While software-as-a-service (SaaS) is the largest segment in that market, infrastructure-as-a-service (IaaS) has the highest growth. With organizations moving more of their workloads and applications to the cloud, they’re putting more emphasis on monitoring cloud security, improving authentication and adding capabilities provided by cloud access security brokers (CASBs), such as malware detection and policy enforcement.

SaaS and IaaS vendors provide a variety of robust security features for their services and many invest heavily in continuous enhancements. However, in the event of a data breach, your organization is ultimately responsible. This is why your budget should include additional cloud security measures such as access controls and policy enforcement, encryption and tokenization, multifactor authentication and traffic inspection.

Threat detection and response focused on network monitoring 

Network security remains a top priority when it comes to detecting and responding to new threats. In the SANS survey, half of the IT and security leaders identified network detection and response tools as an area of increased budget spending with the goal of fighting new threats. Conversely, 43% of respondents to the ESG survey said that among network infrastructure capabilities, network security would have the greatest impact on their organizations’ ability to grow their business.

One of the emerging challenges of securing the network is the proliferation of the Internet of Things, since IoT devices have limited embedded security. At the same time, threat actors are targeting IoT devices more. Kaspersky, for example, found an increase in the number of malware targeting IoT in 2019 when compared to 2018.

The need for continuous network monitoring grows even more if you have a remote or mobile workforce accessing your data and network from anywhere. This became especially urgent during the COVID-19 pandemic, when many organizations had to transition their entire workforce to working from home, testing the resiliency of their network defenses.

Other top areas of investment

Besides network and cloud security, some other areas of heavy investment include:

Endpoint protection: Endpoint detection and response was the third top priority in fighting new threats. Additionally, a 2019 AT&T Cybersecurity survey found that 76% or organizations found endpoint security more important compared to 12 months before, and 41% increased their endpoint security budget.

Employee training: In the SANS survey, staff skills training was ranked in the top three categories for spending increase in the areas of cloud security, protection against new threats, and privacy and security regulatory compliance. Since the complexities of IT environments are constantly growing, ensuring that your security analysts, engineers and other specialists have current knowledge is one of the best ways to keep up with best practices.

Strong authentication: Authentication is another top priority, based on a Microsoft survey which found that 59% of 100 IT executives across industries planned to invest in or expand their multifactor authentication in 2020. More organizations are also adopting a zero-trust approach, which is based on the premise that no device, connection or user should be trusted until it’s authenticated.

How should you budget?

Since technology is only part of an effective security strategy, your budget needs to take a holistic look at your people, processes and tools. And while trends may be an indicator of how your budget compares, even more important is to know your objectives. Then you can measure how well your existing efforts are working and identify the gaps where you may need to shift more resources.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.



Rodika Tollefson
Rodika Tollefson

Rodika Tollefson splits her time between journalism and content strategy and creation for brands. She’s covered just about every industry over a two-decade career but is mostly interested in technology, cybersecurity and B2B topics. Tollefson has won various awards for her journalism and multimedia work. Her non-bylined content appears regularly on several top global brands’ blogs and other digital platforms. She can be reached at