Should Security Budgets be Recession-Proof?

On one of our Techstrong email lists, Mike Vizard, our chief content officer made the comment that security spending is recession-proof, and he had some data from Red Hat’s Global Tech Outlook (reg required) to back up the assertion.

Not surprisingly, security remains the top funding priority with network and cloud security leading in buyer intent. But it gets better (if you are in the security business, anyway); cloud security was the top cloud infrastructure priority. Data security was the top analytics funding priority. Security automation was the top automation priority. Security is number one, even in non-security markets. 

How times have changed! Selfishly, I love this. Although my view is larger than just security at Techstrong Group, I like that companies are (finally) taking security seriously and prioritizing those investments. This has been a long time coming.

But my inner contrarian forces me to ask whether it makes sense to keep investing in security, especially during a macroeconomic slowdown. Just because we can push security spending through, should we? 

First and foremost, you need to have basic security protections in place. You know—network, cloud, endpoint and monitoring. That’s the base level of foundational security, and if you’re still investing there, then you’re catching up, and that’s good. 

Beyond that, spending decisions should always circle back to risk reduction. The sad fact is that many security investments fail to measurably reduce risk. That fancy cloud security posture management (CSPM) tool doesn’t help if you don’t actually make the recommended fixes. That shiny AppSec scanning tool that plugs into the CI/CD pipeline? It doesn’t do squat unless critical issues break the builds and force the developers to fix the defects. Attack surface management tools generate beautiful charts of your environment, but you still have to do the work to protect those assets.

It’s true that you are more likely to get the budget approved for security tools/services, as everyone views these as worthwhile (if not critical) expenditures. You can thank the security industry marketing engine for that. But without the operational processes to actually make the changes and reduce the risk, you’re better off piling up the money in the parking lot and having a bonfire. At least that way, you’d be able to stay warm and eat some s’mores.

Kidding aside, you will not be awarded for spending all of the budget money. Being a security leader sometimes requires you to realistically appraise not just whether a security tool provides value but rather whether your organization can realize that value. 

Avatar photo

Mike Rothman

Mike is a 25+-year security veteran, specializing in the sexy aspects of security, such as protecting networks and endpoints, security management, compliance and helping clients navigate a secure evolution to the cloud.

mike-rothman has 38 posts and counting.See all posts by mike-rothman