2019 Security Budgets - Forecast is Cloudy
January 14, 2019

Mark Moore
Threat Stack

Budget season is an important time of the year for businesses because it gives senior IT and security leaders time to reflect on what went right this year and what initiatives need to be given priority in the new year. Recent research from Threat Stack shows security budgets are expected to increase by 19 percent to an average of $773,412 over the next two years, but business leaders are still facing challenges determining where to allocate this budget in the face of rapidly evolving infrastructure.

With less than half of their infrastructure remaining on-premise (41 percent), businesses are increasingly making migrations to infrastructure-as-a-service (IaaS) (25 percent), platform-as-a-service (PaaS) (17 percent), and containers (10 percent). This is one of the primary reasons why respondents indicated that their top two budget investments in 2019 will be directed at cloud workload security and intrusion detection systems (IDS).

Here are some additional important insights from the report around security budgeting:

Short-Term IT and Security Approaches Impede Long-Term Scalability

A common complaint cited by enterprises large and small is significant friction between their security and DevOps teams. This isn't just a source of frustration — the end result of this misalignment is an IT and security strategy that senior-level decision-makers feel is not scalable. Indeed, many enterprises — 54 percent of respondents — believe their organization is at risk of outgrowing its security solutions. Businesses aren't being strategic with their IT strategy — 52 percent of respondents indicated that their organization's current security technology is not well enough coordinated to sustain future growth.

The Cybersecurity Skills Gap is a Major Concern

Organizations reported needing more budget to hire security team talent as 66 percent agreed that they need more staff capable of managing security projects. Often a lack of experience increases security risks to organizations that are transitioning infrastructure to the cloud, leaving a greater margin of error for attackers to exploit.

Friction Between Security and DevOps Teams

Previous research indicated that while DevSecOps is a stated goal at most organizations, it is far from a reality. In fact, the two areas appear to be at significant odds internally. A common complaint within organizations is that development is working contrary to security team goals: 91 percent of respondents believe that development teams introduce risk to the organization. And a significant portion (29 percent) of respondents believe that their organization prioritizes releasing code that “works” over code that is secure.

Security teams are carrying their own organizational baggage as well. Almost three-quarters of respondents (74 percent) agreed that the security team is under pressure to keep pace with development and operations, and 63 percent believe their security team slows down the speed of their business.

The Threats for Organizations Using Containers

The majority of practitioners in the trenches using containers (58 percent) reported that cloud infrastructure security was their greatest concern, followed by phishing attacks (40 percent), while their organization as a whole was most concerned about data breaches impacting intellectual property (51 percent) and breaches impacting customer PII (42 percent). This data shows that organizations have a more reactive mindset about security as a whole than security practitioners do and are more focused on the end (breaches) rather than the means (attack vectors). 

In other words, if organizations paid more attention to the concerns of day-to-day practitioners and implemented proactive security measures, their organizations' infrastructure misconfigurations and vulnerabilities which increase their risk of breach might be quickly addressed. The good news is, the majority of container security budgets are going toward cloud workload security, which suggests that spending is properly aligned with the risks that practitioners see every day.

Containers, DevSecOps, and the skills gap are buzzwords, but organizations must ensure that they are capable of aligning their people and technology to make the most of these investments. Short-term thinking can derail a cogent IT and security plan so it's important that IT and security leaders not only think of what areas they need to improve in 2019 but also beyond.

Mark Moore is Senior Software Security Engineer at Threat Stack
Share this

Industry News

December 11, 2019

Bonitasoft announced that the Bonita platform is now available with advanced low-code features that permit better collaboration between citizen developers and professional developers.

December 11, 2019

Solo.io announced WebAssembly Hub, a service for building, sharing, discovering and deploying WebAssembly (Wasm) extensions for Envoy Proxy-based service meshes.

December 11, 2019

Datawire unveiled the new Ambassador Edge Stack 1.0, an integrated edge solution that empowers developer teams to rapidly configure the edge services required to build, deliver and scale their applications running in Kubernetes.

December 10, 2019

Redgate Software launched its fourth annual State of Database DevOps Survey.

December 10, 2019

Compuware has signed a definitive agreement to acquire the assets of INNOVATION Data Processing, a provider of enterprise data protection, business continuance and storage resource management solutions serving the mainframe market.

December 10, 2019

Dynatrace announced its Autonomous Cloud Enablement (ACE) Practice to accelerate DevOps’ movement to autonomous cloud operations.

December 09, 2019

NS1, announced the expansion of its suite of integrations to include Kubernetes, Consul, Avi Networks (VMWare NSX), NGINX, and HAProxy.

December 09, 2019

CloudBees announced an extension of its partnership with Google. As a Google Cloud Run launch partner, CloudBees will offer developers more flexibility in their deployment of containerized applications.

December 09, 2019

EPAM Systems has expanded its crowdtesting software solutions to enable user story testing.

December 05, 2019

Parasoft announced the newest release of Parasoft C/C++test, the unified C and C++ development testing solution for enterprise and embedded applications.

December 05, 2019

Datadog announced Security Monitoring, a new product that enables real-time threat detection across the entire stack and deeper collaboration between security, developers, and operations teams.

December 05, 2019

Pulumi announced the availability of Pulumi Crosswalk for Kubernetes, an open source collection of frameworks, tools and user guides that help developers and operators work better together delivering production workloads using Kubernetes.

December 04, 2019

CloudBees announced a Preview Program for CloudBees CI/CD powered by Jenkins X, a Software as a Service (SaaS) continuous integration and continuous delivery solution running on Google Cloud Platform.

December 04, 2019

Rancher Labs announced the general availability of K3s, their lightweight, certified Kubernetes distribution purpose built for small footprint workloads, along with the beta release of Rio, their new application deployment engine for Kubernetes that delivers a fully integrated deployment experience from operations to pipeline.

December 04, 2019

WhiteSource announced a new integration with Codefresh, the Kubernetes-native CI/CD solution.