Cybersecurity worries, compliance concerns, and the impact thereof is still growing quickly, with COVID-19 introducing a range of new issues. Yet, in our 2020 CIO survey, senior tech leaders reported that an average of just 9% of IT budgets is dedicated to cybersecurity services.
Do companies get sufficient cybersecurity firepower by spending just under ten percent of IT budgets spent on cybersecurity?
In this article, we outline why we think that there’s a risk that organisations may think that they are allocating a sufficient proportion of their tech budget, when in reality they are spending too little.
We also hint at the key areas for cybersecurity spend and outline how tech leaders can use their influence to boost cybersecurity in their organisation.
Insufficient cybersecurity spend might reveal itself too late
A lack of protection may take a very long time to reveal itself. But that can change rapidly, as a catastrophic event brings economic costs for your business. Of course, once that cost is realized, an organisation often increases future cybersecurity expenditure to protect itself.
David Murphy, a pre-sales engineer at Acora, says that “Anecdotally, we notice that companies that were victims of a cybersecurity breach spend much more on cybersecurity – these companies see security not as a box-ticking exercise, but as essential to business continuity, and rightly so.”
And the costs are very real. Studies vary, but the sums are simply staggering. A 2017 McAfee study suggests a £480 billion global annual loss, while RiskIQ’s 2018 numbers suggested £ 1.2 trillion per annum lost to cyber breaches. It should serve as a warning sign for companies that are underspending on cybersecurity.
Vulnerabilities and exploits are trending are upwards
It’s clear that the costs of cybercrime are high, but is the overall cybersecurity danger receding – or growing? Are cybersecurity budgets proving effective? Accenture’s 9th annual cost of cybercrime study found an 11% rise in security breaches between 2018 and 2019, and a whopping 67% rise from 2014 to 2019.
That is an obvious sign that cybercrime is accelerating, and the argument can be made that the trend will only be stopped by intelligent, effective cyber defence budgets. In the absence of further spend, the result may simply be more breaches and therefore higher costs for businesses.
Whatever your views on the sufficiency of existing budgets, spend trends are upwards. According to Gartner, spend on external cybersecurity services is set to grow at an annual rate of 8.4% through 2026.
A 2019 CSO Online survey likewise found 66% of respondents suggested that cybersecurity budgets are on the rise. Where should your organisation spend this new money?
Spending a growing cybersecurity budget
Smarter spending delivers better results, and you should prioritise tools that drive security efficiency. We think that these are three key areas:
Automation can give cybersecurity spend a boost
Automation is high on the list. Intelligent, AI-driven cybersecurity tools deliver greater value for money and offer superior protection too. Indeed, in some ways, automation is really the only way to stay ahead of a rapidly evolving threat landscape.
Don’t lose focus of endpoints
Endpoint security is an established, but growing concern and must also be a priority for security budgets.
We know that 2020’s shift to remote working brought countless new endpoints into the picture. According to IDC, 70% of all breaches still originate at endpoints, despite the increased IT spending on this threat surface. Neglecting endpoint security is unwise.
Disaster recovery planning is critical
Of course, no matter how much you spend on cybersecurity, you will never be able to comprehensively mitigate all threats. That’s why budgeting for disaster recovery and resiliency is equally important.
Tech leaders should allocate a proportion of cybersecurity funding towards testing, and to developing plans to respond in the worst-case scenario. Extended, clumsy recoveries can be more expensive than the attack itself.
The role of technology leaders in cybersecurity
Cybersecurity spend delivers essential firepower, but it is up to senior technology staff including CIOs to ensure optimal use of cybersecurity funds. It implies continuous spending reviews, and clear controls. A benchmarking process can help, whether an internal plan, or a framework such as ISO 27001.
That said, cybersecurity is not just about building technological walls and manning electronic checkpoints. Users are, after all, one of the weak points in cybersecurity defence – in part due to the unpredictable nature of human behaviour. Sophisticated social engineering can bypass highly secure systems.
So, it is essential that you allocate a budget for persistent, ongoing user education. But there is a further essential step: you must provide deep and persistent leadership. User education and culture is driven from the top.
Last, we believe that technology leaders need to use their influence to lift cybersecurity concerns to the top of the agenda. You must be present at the enterprise risk management table, persuading senior leadership that a security-first posture is simply not optional.
What, then, is the right cybersecurity budget?
It’s impossible to suggest a definitive number, or a recommended percentage of IT spend that should go towards cybersecurity. Each organisation has a different cybersecurity profile – with a different threat surface, and varying compliance obligations.
But there’s little doubt that cybersecurity budgets are increasing in line with an ongoing increase in cyber threats. When setting budgets you must ensure that senior colleagues and board members are aware of the risks, using your influence to push for sufficient funding by outlining the clear risks of skimping on cybersecurity protection.
While it is up to technology leaders to take a view on threats and to spend budgets smartly it is also critical that they use their increasing influence to push for a cybersecurity budget that has the firepower to counter today’s threats.
Interested in reading more about the changing role of the CIO and how technology leaders can drive business change – and business success? Read our full 2020 CIO report here.