Fifty-five percent of technology and security executives in our Global DTI 2021 survey plan to increase their cybersecurity budgets, with 51% adding full-time cyber staff in 2021 — even as most (64%) executives expect business revenues to decline. Clearly, cybersecurity is more business-critical than ever before.
Still, 26% will need to do more with less, and 13% will have to make do with static budgets. “The circumstances we find ourselves in with the economy are putting a lot of pressure on security organizations to make sure that the investments we're making are efficient and high-value,” says Katie Jenkins, CISO, Liberty Mutual.
Getting the most value for every cybersecurity dollar spent becomes more critical as entities digitize: every new digital process and asset becomes a new vulnerability for cyber attack.
More than half (55%) of business and tech/security executives lack confidence that cyber spending is aligned to the most significant risks. Or that their budget funds remediation, risk mitigation and/or response techniques that will provide the best ROI (55%). Or that budgets provide the resources needed for a severe cyber event (55%). Or that the process monitors the cyber program’s effectiveness compared to expenditures (54%).
Cyber budgets could — and should — link to overall enterprise or business unit budgets in a strategic, risk-aligned, and data-driven way, but 53% lack confidence that their current process does this.
And with regard to preparedness for future risks, executives are not confident that cyber budgets provide adequate controls over emerging technologies (58%).
With confidence lagging in the process used to fund cybersecurity, executives say it’s time for an overhaul. Forty-four percent say they’re trying new budgeting processes, and considering how best to convince the CEO and board to assign needed funds. Nevertheless, more than one-third strongly agree that organizations can strengthen their cyber posture while containing costs — thanks to automation and rationalization of tech.
Our cyber budget/process is:
Cyber managers can do more with less, but to do so they need to quantify cyber risk and use the information to make smart choices that protect the business’s security, privacy, and cash flow.
Seventeen percent of the executives in our Global DTI survey have quantified cyber risks, and are realizing benefits from doing so. For instance, a highly acquisitive company that quantifies cyber risks can evaluate deal opportunities faster and more systematically. A financial institution that handles millions of transactions a day can do daily and weekly threat and vulnerability assessments — staying alert to the performance of underlying controls and any need to reallocate resources.
Cyber risk quantification is not for the faint-hearted, with many obstacles in the way: lack of a widely accepted model, lack of people who understand cyber and risks from a business lens, and lack of scalability. Nevertheless, nearly 60% are beginning to quantify risks or have implemented at scale. And nearly everyone else (17%) plans to begin risk quantification within the next two years.
The economics of cybersecurity has long focused on the cost side (compliance, updating capabilities, and so on). This must change. The cyber strategy reset — considering cybersecurity in every business decision — means connecting cyber budgets to overall enterprise or business unit budgets in a strategic, risk-aligned, and data-driven way.
Putting a dollar amount on the value of a cyber project, in terms of risk reduction or less costly compliance, allows comparison of the costs and value of cyber investments so they can be prioritized. Quantification also makes it easier to measure the value of the overall portfolio of cyber investments against business objectives. This kind of rigor and sophistication will be increasingly demanded — especially as the markets and regulators hold CEOs and board members more accountable for cybersecurity and privacy.
“The circumstances we find ourselves in with the economy are putting a lot of pressure on security organizations to make sure that the investments we're making are efficient and high-value."