Rising cybersecurity costs will force organizations to revisit strategies

While spending on cybersecurity continues to increase, it’s not clear to what degree that level of spending is sustainable. Some might argue that after not spending enough on cybersecurity for decades, organizations are starting to realize, and cybersecurity is now finally getting its due. However, there are others who argue that as a percentage of overall IT spending, the amount allocated to cybersecurity is coming at the expense of other strategic imperatives.

A report from The Futurum Group projects cybersecurity spending will increase at a compound annual growth rate (CAGR) of 11.6% from 2024 to 2029 to reach $287.6 billion in revenue. Based on an analysis of revenue growth forecasts provided by cybersecurity vendors that make up 70% of the market, the five fastest-growing cybersecurity segments will be integrated risk management/security operations, identity and access management, cloud security, application security and data security.

Each of those areas clearly require more attention, but as the overall size of the attack surface continues to expand, it’s not as if cybersecurity spending in other areas will be reallocated. For example, the Futurum Group report notes the network security market, valued at $27.9 billion in 2024, will grow to $43.71 billion by 2029, representing a CAGR of 9.4%, while endpoint security will grow from $22.8 billion in 2024 to $33.64 billion by 2029, for an 8.1% CAGR.

Trending strategies to help contain cybersecurity costs

Of course, the amount of dollars allocated to products and services is only a fraction of the total spend. Labor in the form of all the cybersecurity specialists, despite ongoing staffing shortages, still represents the largest segment on any cybersecurity budget. Two trends have emerged in the last few years to try to contain those costs. The first is a move toward centralizing the management of cybersecurity, and the second is the rise of artificial intelligence (AI).

In the case of the former, many cybersecurity leaders have been moving to reduce their organization’s dependency on bespoke tools, which require a specialist to master each one. The hope is that a more centralized platform approach will make it easier for a cybersecurity team to more effectively employ a range of capabilities embedded into a platform in a way that eliminates the need for a separate tool. In addition to lowering costs, there is an argument to be made that this approach will make cybersecurity teams more effective by eliminating the need to correlate events across multiple tools that have very different user interfaces.

The second hope is to rely more on AI to automate manual tasks in a way that ultimately enables a cybersecurity team to thwart cyberattacks at scale without necessarily requiring as much additional headcount. It’s not likely AI will replace the need for cybersecurity professionals, but it should augment them to the point where the cost of labor increases even higher than it already is. Of course, adversaries are making similar investments in AI, so it remains to be seen just how automated cyberattacks themselves will become. Like it or not, an AI cybersecurity arms race is now well underway.

Each organization will need to determine for itself how much increased spending on cybersecurity they can afford. The issue is less about whether the total cost of cybersecurity will increase, and more about determining how much can an organization actually afford, given the level of risk being created.