ARTICLE
1 October 2024

Cybersecurity Budgets: Spend More Or Spend Better?

Should organizations be spending more or better on cybersecurity? The answer is simple: spend better. With tight budgetary constraints and cybersecurity spending barely averaging just 6% of total IT budgets...
Italy Technology

Should organizations be spending more or better on cybersecurity? The answer is simple: spend better. With tight budgetary constraints and cybersecurity spending barely averaging just 6% of total IT budgets across industries1, there is no "unlimited" funding – even when cyber risk exposure is high, and hardly a day passes without a prominent organization have held their feet to the fire because of a cyber incident.

Cybersecurity budgets are on the rise in 2024. Nearly two-thirds of chief information security officers (CISOs) report that their budgets have risen from 6% in 2023 to 8% this year, while a quarter experienced flat budgets and 12% faced declines, according to IANS Research2. Moody's 2023 Cyber Survey 3 showed that debt issuers devoted a median of 8% of their technology budgets to cybersecurity, up from 5% in 2019. The increase is a response to rapid digitalization and an accompanying rise in cyber risk in recent years.

While the continuous rise in cybersecurity spend is positive for organizational resilience, corporate budgets are facing heightened scrutiny, given the more uncertain economic backdrop. This has led to enterprise cost optimization initiatives and delayed purchasing decisions. And even though cybersecurity is a priority for boards and CEOs, it is not definitely top of the pile.

CISOs and security leaders should understand that securing the necessary funding to protect their company starts with developing a risk-based cybersecurity budget that is both cost-effective and aligned with stakeholders' priorities.

Business and risk-oriented language is key for a sustainable cybersecurity budget

For any CISO or security leader, whether at small and medium-sized businesses (SMBs) or large enterprises, it's critical to establish open and transparent communication with the chief financial officer (CFO) or the board of directors. Discussions must focus on the required resources in terms of people, processes and technology, ensuring they align with the organization's risk appetite.

CISOs should answer the following questions to link cybersecurity investments with top-line benefits:

  • Does the cybersecurity function provide the necessary services to the company?
  • Will the proposed investments reduce the overall risk posture to a level that is below the company's risk appetite?
  • Are we responding to the company's regulatory and compliance needs?
  • Are we measuring and reporting cybersecurity ROI, in terms of both financial value and risk mitigation?
  • How does our cybersecurity posture compare to peers?

When security leaders successfully position cybersecurity as a driver of resilience and revenue protection, boards and C-suite executives can make informed funding decisions, fostering trust among all stakeholders.

Pitfalls in managing cybersecurity budgets

Securing funding is just the first step. Once funds are allocated, the expectation is that they will drive substantiated risk reduction as a key objective. This will require cybersecurity leaders to prioritize initiatives, optimize spending and exercise demand discipline.

Some of the common challenges security leaders face in executing their budgets effectively include:

  • Cash burning: Acquisition of two security tools having the same redundant capability (e.g., endpoint security);
  • Overspending on low-impact areas: Enforcing the same security controls for high- and low-value assets and systems (e.g., having the same vulnerability scanning plan for low-value assets and high-value assets);
  • Overreliance on tools without mature processes: Implementing a costly supporting security solution for an ad-hoc or reactive process (e.g., identity & access management tool);
  • Inadequate vendor management: Outsourcing a security service without clear and defined performance indicators;
  • Insufficient training programs: Acquisition of a state-of-the-art solution without having trained people to support the required service (e.g., threat intelligence);
  • Poor tool implementation and integration: Implementing DLP solutions without fine-tuning policies to focus on high-risk data types or specific data loss scenarios.

Poorly executed cybersecurity budget management is not just a technical or operational issue, it's a financial risk that can lead to budget overruns, regulatory fines and uncontrolled investments.

Best practices for executing a cybersecurity budget

Just like any budgeting process, effective oversight of cybersecurity spending is crucial. Here are some best practices for executing a cybersecurity budget:

  • Regularly monitor spending and stay within the approved budget. If adjustments are needed, clearly explain the financial impact and justify reallocations in business terms;
  • Leverage smart metrics focusing on risk and investment, threat landscape and controls implementation;
  • Focus on critical risks and compliance requirements to show that the budget is spent on the most important areas;
  • Include flexibility in the budget to respond to a changing threat landscape but avoid frequent budget overruns.

Ultimately, a CISO must understand the financial aspects and business objectives behind a rigorous budgeting process. This will ensure that resources are efficiently allocated, thus enabling the organization to free up funds for new security investments.

Footnotes

1. Gartner, IT Key Metrics Data 2024: IT Security Measures

2. IANS and Artico Search: 2024 Security Budget Benchmark Report

3. Moody's 2023 Cyber Survey

Originally published 30 September 2024

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More