How Rate Hikes and Cuts Shape Cybersecurity Spend

Introducing Part 2 of our three-part series on how interest rates are impacting corporate cybersecurity budgets. If you missed Part 1, we covered how cybersecurity became a board-level issue and how the federal funds rate quietly influences corporate spending priorities.

In this installment, we dig into how cybersecurity budgets actually shift in high- vs. low-interest environments. From real-world data to historical examples, we’ll explore why the economy (not just the threat landscape) plays a major role in shaping security investments.

Cybersecurity Budgeting in the Corporate World

In today’s digital-first economy, cybersecurity is no longer optional—it’s a baseline requirement for doing business. But while the importance of cyber defense is widely acknowledged, how much companies actually invest in it—and how those budgets are structured—varies widely across industries, company sizes, and economic cycles.

Typical Cybersecurity Budget Allocation

Most organizations allocate between 6% and 14% of their total IT budget to cybersecurity, depending on the industry and maturity of their security programs. According to a IANS’ 2023 Security Budget Benchmark Summary, the average cybersecurity spend across industries was 11.6% of the IT budget, with financial services and healthcare typically investing more due to strict compliance requirements.

However, budget percentage alone doesn’t tell the full story. Cybersecurity spending often includes a mix of:

Technology investments (firewalls, endpoint protection, cloud security platforms)
Personnel costs (security operations center staff, threat analysts)
Consulting and third-party services
Training, compliance, and incident response planning

This diversity in spend categories makes cyber budgeting both complex and highly sensitive to financial pressures—especially when organizations are forced to prioritize or cut back.

Key Influencers of Cybersecurity Budgets

While security leaders advocate for risk-based budgeting, several factors significantly influence how much an organization is willing (or able) to spend:

Regulatory Requirements: Compliance frameworks like HIPAA, PCI-DSS, and GDPR often set a baseline for required controls, dictating minimum investment levels. Noncompliance can lead to significant penalties, as seen in recent fines levied under GDPR enforcement actions.
Threat Landscape: When breaches dominate headlines, when a peer in the same sector is compromised, or new threat techniques enter the market such as generative AI, security budgets often get a temporary bump. For instance, the buzz around GenAI has continued to increase investments into security software, Gartner reported a surge in demand for application security, data security and privacy, and infrastructure protection.
Executive and Board Priorities: When cybersecurity becomes a board-level topic—as it increasingly does—it receives more consistent funding. The National Association of Corporate Directors (NACD) emphasizes that cyber risk oversight is now a core fiduciary duty.
Incident History: Organizations that have experienced a breach are far more likely to increase cybersecurity investment. Unfortunately, in many cases, meaningful budget increases only come after a costly security event.

Budgeting Trends by Industry

Some industries are naturally more security-conscious due to the nature of the data they handle:

Financial Services: Often lead in security spending (~12–15% of IT budgets), driven by stringent regulatory compliance and the high value of digital assets.
Healthcare: Investments are rising quickly due to ransomware risk and HIPAA requirements.
Manufacturing and Energy: Historically underfunded, but now increasing investments due to growing threats to industrial control systems (ICS).

Despite these variations, a consistent theme emerges - cybersecurity budgets are highly reactive and prone to fluctuation based on both external threats and internal financial pressures.

The Correlation: How Interest Rates Impact Cyber Budgets

While cyber threats evolve on their own timeline, cybersecurity funding often does not. In practice, corporate cybersecurity budgets tend to rise and fall in tandem with broader economic conditions—and federal interest rates are one of the most influential economic levers.

A. High Interest Rate Environments: Tightening the Belt
When the Federal Reserve raises interest rates, it becomes more expensive for companies to borrow money or raise capital. In response, businesses typically adopt a more conservative financial posture: reducing discretionary spending, pausing major initiatives, and scrutinizing every line item—including cybersecurity.

According to a Cybersecurity Dive, many companies face pressure amidst the economic volatility and directly impacted their ability to fund cybersecurity programs, with many reallocating funds toward core business continuity and cash preservation efforts.
In high-rate environments, finance teams often pressure security leaders to demonstrate short-term ROI, which can deprioritize long-term initiatives like cloud migration security, proactive threat hunting, or modernization of legacy systems.

This dynamic creates a paradox: Just as threat actors become more active during economic uncertainty, security budgets often stagnate or shrink.

B. Low Interest Rate Environments: Opportunity to Invest
Conversely, when interest rates are low—as they were throughout much of the 2010s and during the early pandemic years—companies are more likely to:

Take on strategic risk, including digital transformation and cybersecurity modernization.
Invest in AI-driven security tools, automation platforms, and cloud-native security services.
Expand security teams and pursue proactive resilience programs (e.g., red teaming, tabletop exercises, and zero trust architecture).

According to Statista, global cybersecurity spending jumped during low-interest periods, especially in cloud security, endpoint security and application security.

In these environments, cybersecurity is often positioned not just as a cost center but as an innovation enabler and risk differentiator, supporting digital business initiatives with measurable business outcomes.

C. CapEx vs OpEx: Procurement Models Matter
Interest rates disproportionately affect capital expenditures (CapEx)—long-term investments in hardware, infrastructure, or major software deployments. As financing costs rise, businesses may delay expensive on-premises security projects or data center upgrades.

However, operational expenditure (OpEx) models—such as managed security services, security-as-a-service, and subscription-based tools—are more adaptable to volatile markets. This is one reason why cybersecurity vendors offering flexible consumption models have grown significantly during high-rate cycles. A Forrester analysis notes that even small to mid-sized companies prefer OpEx-heavy models during periods of economic stress to preserve cash flow and agility.

Data and Trends: Historical Evidence and Case Studies

Understanding the relationship between federal interest rates and cybersecurity budgets requires looking at how companies have behaved in past economic cycles. By examining historical spending trends, survey data, and real-world case studies, a clear correlation emerges: monetary policy influences how aggressively companies invest in cybersecurity.

A. Historical Data Analysis: Budgets Rise in Low-Rate Periods
From 2008 to 2021—an era marked by historically low interest rates—corporate cybersecurity spending increased steadily year over year. According to Statista, the global cybersecurity market grew from $27 billion in 2010 to $167 billion in 2023, with key surges during periods of low borrowing costs that enabled tech-driven transformation and digital risk mitigation.

Even during the COVID-19 pandemic, when rates were slashed to near-zero, cybersecurity remained a top priority. An UncommonX State of Cybersecurity report found that 76% of companies planned to maintain or increase cybersecurity budgets in 2021, despite overall IT budget constraints.

Key takeaway: Low-rate environments encourage forward-looking security investments, including identity and access management (IAM), endpoint detection and response (EDR), and zero trust frameworks.

B. Budget Contraction During Rate Hikes (2022–2023)
The Federal Reserve raised interest rates 11 times between March 2022 and July 2023 in response to inflation, marking the most aggressive tightening cycle in over 40 years. The effect on tech and cybersecurity spending was immediate and measurable.

According to a CFO Dive, Companies increased their cybersecurity spending by 6% on average this year, a significant drop from the previous budget cycle’s 17% rise. And, “Cybersecurity budgets were not immune to the inflationary pressures and global instability of 2023”
A 2024 GovTech report echoed this, noting that “while many CISOs saw budget increases, the growth slowed considerably—from 17% in 2022 to just 6% in 2023” indicating that economic headwinds, including inflation and borrowing costs, have tempered security investments.

C. Case Study: Cyber Spending Post-SolarWinds Breach
In contrast to rate-driven cycles, major cyber incidents can temporarily override economic pressure. After the SolarWinds supply chain breach in late 2020, companies across industries accelerated their investment in supply chain security and threat detection tools—even amid pandemic-era budget constraints.

A Palo Alto Networks survey found that nearly 70% of large enterprises expanded cloud security investment in 2021, with SolarWinds cited as a key driver.
The U.S. government responded with Executive Order 14028, mandating stronger cybersecurity for federal suppliers—forcing private sector vendors to follow suit. (White House Fact Sheet)

While this uptick was notable, by 2023 the pendulum began to swing back as interest rate hikes led to a more cautious financial environment, demonstrating that even breach-driven momentum can lose steam when macroeconomic pressures mount.

D. CISO and CFO Surveys Reflect Strategic Tension
Surveys of senior leaders reveal the increasing tension between cybersecurity needs and financial headwinds:

A CSO Online found that 65% of CISOs struggled to secure budget increases, even while facing rising threat levels.
86% of state CISOs say responsibilities are growing, yet more than one-third do not have a dedicated cybersecurity budget — from the Sept 30, 2024 Deloitte–NASCIO Cybersecurity Study, which highlights budgetary challenges and financial scrutiny from CFOs.

This internal budgetary friction becomes even more pronounced in high-interest environments, where every department is required to justify its strategic relevance and bottom-line impact.

Budgets are about more than just line items, they're about people. In our final installment in the Federal Interest Rates series, we'll examine how macroeconomic pressures affect cybersecurity teams on the ground and what strategies moves leaders can make to adapt. Join us next week for Part 3, Resilience Overhead: Protecting People and Strategy in a Volatile Economy.

Don't miss another article. Subscribe to our blog now.

Subscribe now

Included Topics

Justin Fimlaid

Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.