How Much Should you Spend on Cybersecurity?

Cybersecurity worries, compliance concerns, and the impact thereof is still growing quickly, with COVID-19 introducing a range of new issues. Yet, in our 2020 CIO survey, senior tech leaders reported that an average of just 9% of IT budgets is dedicated to cyber security services.

Do companies get sufficient cyber security firepower by spending just under ten percent of IT budgets spent on cybersecurity?

In this article, we outline why we think that there’s a risk that organisations may think that they are allocating a sufficient proportion of their tech budget, when in reality they are spending too little.

We also hint at the key areas for cyber security spend and outline how tech leaders can use their influence to boost cyber security in their organisation.

Insufficient cyber security spend might reveal itself too late

A lack of protection may take a very long time to reveal itself. But that can change rapidly, as a catastrophic event brings economic costs for your business. Of course, once that cost is realized, an organisation often increases future cyber security expenditure to protect itself.

David Murphy, a pre-sales engineer at Acora, says that “Anecdotally, we notice that companies that were victims of a cyber security breach spend much more on cyber security – these companies see security not as a box-ticking exercise, but as essential to business continuity, and rightly so.”

And the costs are very real. Studies vary, but the sums are simply staggering. A 2017 McAfee study suggests a £480 billion global annual loss, while RiskIQ’s 2018 numbers suggested £ 1.2 trillion per annum lost to cyber breaches. It should serve as a warning sign for companies that are underspending on cybersecurity.

Vulnerabilities and exploits are trending are upwards

It’s clear that the costs of cybercrime are high, but is the overall cyber security danger receding – or growing? Are cyber security budgets proving effective? Accenture’s 9th annual cost of cybercrime study found an 11% rise in security breaches between 2018 and 2019, and a whopping 67% rise from 2014 to 2019.

That is an obvious sign that cybercrime is accelerating, and the argument can be made that the trend will only be stopped by intelligent, effective cyber defence budgets. In the absence of further spend, the result may simply be more breaches and therefore higher costs for businesses.

Whatever your views on the sufficiency of existing budgets, spend trends are upwards. According to Gartner, spend on external cyber security services is set to grow at an annual rate of 8.4% through 2026.

A 2019 CSO Online survey likewise found 66% of respondents suggested that cyber security budgets are on the rise. Where should your organisation spend this new money?

Spending a growing cyber security budget

Smarter spending delivers better results, and you should prioritise tools that drive security efficiency. We think that these are three key areas:

Automation can give cyber security spend a boost

Automation is high on the list. Intelligent, AI-driven cyber security tools deliver greater value for money and offer superior protection too.  Indeed, in some ways, automation is really the only way to stay ahead of a rapidly evolving threat landscape.

Don’t lose focus of endpoints

Endpoint security is an established, but growing concern and must also be a priority for security budgets.
We know that 2020’s shift to remote working brought countless new endpoints into the picture. According to IDC, 70% of all breaches still originate at endpoints, despite the increased IT spending on this threat surface. Neglecting endpoint security is unwise.

Disaster recovery planning is critical

Of course, no matter how much you spend on cybersecurity, you will never be able to comprehensively mitigate all threats. That’s why budgeting for disaster recovery and resiliency is equally important.
Tech leaders should allocate a proportion of cyber security funding towards testing, and to developing plans to respond in the worst-case scenario. Extended, clumsy recoveries can be more expensive than the attack itself.

The role of technology leaders in cybersecurity

Cybersecurity spend delivers essential firepower, but it is up to senior technology staff including CIOs to ensure optimal use of cyber security funds. It implies continuous spending reviews, and clear controls. A benchmarking process can help, whether an internal plan, or a framework such as ISO 27001.

That said, cyber security is not just about building technological walls and manning electronic checkpoints. Users are, after all, one of the weak points in cyber security defence – in part due to the unpredictable nature of human behaviour. Sophisticated social engineering can bypass highly secure systems.

So, it is essential that you allocate a budget for persistent, ongoing user education. But there is a further essential step: you must provide deep and persistent leadership. User education and culture is driven from the top.

Last, we believe that technology leaders need to use their influence to lift cyber security concerns to the top of the agenda. You must be present at the enterprise risk management table, persuading senior leadership that a security-first posture is simply not optional.

What, then, is the right cyber security budget?

It’s impossible to suggest a definitive number, or a recommended percentage of IT spend that should go towards cybersecurity. Each organisation has a different cyber security profile – with a different threat surface, and varying compliance obligations.

But there’s little doubt that cyber security budgets are increasing in line with an ongoing increase in cyber threats. When setting budgets you must ensure that senior colleagues and board members are aware of the risks, using your influence to push for sufficient funding by outlining the clear risks of skimping on cyber security protection.

While it is up to technology leaders to take a view on threats and to spend budgets smartly it is also critical that they use their increasing influence to push for a cyber security budget that has the firepower to counter today’s threats.

Interested in reading more about the changing role of the CIO and how technology leaders can drive business change – and business success? Read our full 2020 CIO report here.