IT security management consists of tools, policies, processes, strategies, and technologies that ensure the integrity, protection, availability, and confidentiality of IT systems. In the Devolutions’ State of IT Security in SMBs in 2022-23 survey [report now available], we asked executives and decision-makers in SMBs worldwide to share their experiences and expectations in IT security management, particularly with spending and planning. Below is a recap of what we learned, and our recommendations.
Table of Contents
Key Findings from the Survey
68% of SMBs are allocating 6-15% of their overall IT budget towards IT security. This is significantly higher than the 2021/2022 survey, which found that just 32% of SMBs were allocating 6-15% of their overall IT budget to IT security. This large year-over-year increase suggests that more SMBs are grasping the reality that a robust IT security profile is essential.
On the other end of the spectrum: 32% of SMBs are allocating less than 6% of their overall IT budget towards IT security, which is 6% higher than the 2021/2022 survey. In our view, the most likely factor driving this year-over-year decline was (and for some continues to be) the pandemic, which forced many SMBs to cut back on all of their budgets across the company.
Nearly half (49%) of SMBs are spending more on IT security this year vs. last year. This is most likely driven by increased labor costs, as 36% of SMBs have added one or more employees to address their IT security needs.
46% of SMBs plan on increasing their IT security spending in the next 12 months, 48% plan on spending about the same, and 6% plan on spending less. The five most common projects planned for the year ahead include: implementing a PAM solution; introducing or fully integrating 2FA; expanding a password management tool for use by all employees (not just IT staff); implementing automatic password rotation; and updating VPN strategies. It is interesting to note that all of these IT security projects are related to identity and access management!
Many IT professionals in SMBs know that their companies need to invest more (and perhaps, also more wisely) on IT security. However, they may face a common obstacle: some non-IT decision-makers in their companies do not fully appreciate the risks and consequences, and see investing in IT security as a “nice-to-have” option that can be ignored, rather than an essential requirement that must be addressed.
To help IT professionals get the budget and other resources they need to strengthen their company’s IT security profile, we recommend covering these five factors in any pitch, proposal, or presentation:
Strong IT Security Helps Earn and Maintain Customer Trust
Allocating more resources towards IT security is not just a technical issue. It is fundamental to earning and maintaining customer trust, which makes it a business issue. Consider that:
- 81% of customers view trust as a deciding factor in their buying decisions.
- 88% of customers say that trust is more important in times of change.
- 70% of customers want to know that data protection is considered a top priority by the companies that they do business with.
Companies that are perceived as untrustworthy because of weak IT security are forced to spend an enormous amount of money to try to recover. Obviously, this expense will be far greater than what it would have cost to proactively strengthen IT security in the first place!
Strong IT Security is Necessary for Compliance
Some customers will refuse to do business with a company that has not had its IT security infrastructure, governance, and controls evaluated and verified by a third-party (e.g., SOC 2, ISO 27001:2013, PCI DSS, HIPAA, etc.). Since the one thing that keeps decision-makers awake at night is leaving revenues and profits on the table, conveying this message in practical terms can go a long way towards creating a paradigm-changing “aha” moment: one where IT security stops being perceived as an unavoidable expense, and starts being seen as a profitable investment.
Strong IT Security May be Necessary for Insurance
This is a trend that we have seen accelerate greatly in the last couple of years: companies with cybersecurity insurance are discovering, upon renewal of their policy, that their insurer is demanding stronger IT security controls — especially with respect to privileged access management (PAM) that supports functions such as account brokering, password rotation, role-based access control, and session recording.
Strong IT Security Sends the Right Message to Employees
Whether they are falling for phishing scams, insecurely and/or improperly sharing passwords, losing laptops — and the list goes on — end users have always been, and will always be, the weakest link in the IT security chain. An SMB that makes responsible and appropriate IT security investments sends a clear, confident message to its workforce that says: “We take strong IT security very seriously around here, and we expect you to do the same.”
Strong IT Security is Ethical
Supporting strong IT security is not just the smart thing to do. It is also the right thing to do, as it demonstrates a commitment to social responsibility and being a good corporate citizen. Simply put: when good companies win the IT security fight, hackers, rogue insiders, and other bad actors LOSE!
If you have not yet had the opportunity to download the Devolutions State of IT Security in SMBs in 2022/23 Survey Report, please click here [PDF]. The download is instant and no sign-up is required.
We also invite you to explore the other installments in our “Diving Into the Survey” series: