Australia’s cyber security spending to grow 11.5% this year

Australian organisations are expected to spend more than A$7.3bn on security and risk management products and services this year, an increase of 11.5% from 2023, according to Gartner.

This will be led by cloud security spending, which will grow by 26.9% this year as Australian organisations move more workloads to the cloud.

Richard Addiscott, senior director analyst at Gartner, noted that the recent highly publicised cyber attacks in Australia, coupled with increasing regulatory obligations, are keeping security and risk top of mind for Australian organisations this year.

“As the frequency and negative impact of cyber security incidents continues to rise, every organisation is worried about a potential fallout, and industry regulators are increasingly pushing for improved competence,” he added.

In Gartner’s annual global survey of more than 2,400 CIOs and technology executives, including 87 from Australia and New Zealand (ANZ), 87% of ANZ respondents revealed that cyber security will receive their largest increase in technology investment in 2024, up from 62% in 2023.

Security services, including consulting, hardware support implementation and outsourcing services, remains the largest end user spending category in Australia, forecast to reach almost A$4.3bn in 2024. This is an increase of 9.6% from 2023, reflecting the increasingly important role security service providers play in helping organisations in Australia navigate emerging cyber security challenges.

Gartner also called for security and risk leaders in Australia to prepare for the “swift and continual evolution” of generative artificial intelligence (GenAI), as large language model (LLM) applications such as ChatGPT and Gemini are only the start of its disruption.

It added that GenAI introduces new attack surfaces that need protecting and require changes to application and data security practices and user monitoring, noting that GenAI will cause a spike in the cyber security resources required to secure it by 2025, causing more than a 15% incremental spend on application and data security.

“The use of GenAI models unlocks many benefits, but users must also contend with new unique risks, requiring new security practices focused on data protection, AI application security and content anomaly detection,” said Addiscott. “These new attack surfaces will drive security departments to spend time and money implementing GenAI security and risk management controls.”

According to Gartner, spending on GenAI will primarily be incorporated into enterprises through existing IT spending in the long-term, through software, hardware and services they are already using. “It’s reasonable to suggest we’ll see similar patterns when it comes to security spending as the security capabilities continue to evolve,” Addiscott said.

Manuel Acosta, senior director analyst at Gartner, noted that as organisations leverage GenAI to achieve security outcomes, they should also be aware of the risks involved. For example, while use cases such as threat detection and response as well as chatbots can augment existing security capabilities, there could be unintended risks related to data privacy, hallucinations and misuse.

“Data governance policies are going to mitigate those risks,” Acosta said at the Gartner Security and Risk Management Summit in Sydney this week. “Policies will not only inform users of their obligations when using GenAI, but also clarify how they consume it by providing actionable guidance and transparency, along with sanctions for any misuse of the technology.”

Acosta warned that technology providers which host GenAI models still lack controls and tools to mitigate the risks of the technology, adding that the market for GenAI trust, risk and security management (Trism) tools is small, with existing tools largely untested.

He advised organisations to test Trism tools through proofs-of-concept to determine how they perform against legacy controls in managing risks associated with data protection, content anomalies and application security. “A lot of those tools are going to augment the capabilities you have in place, and not replace them,” he added.