Get smart on cyber investment strategies

Example pattern for mobile
Example pattern for desktop

Joseph Nocera

Cyber & Privacy Innovation Institute Leader, PwC US


Funding for cybersecurity is flowing once again. But a bigger budget isn’t always the solution. Could CISOs apply cyber investments more effectively when it comes to protecting governance and processes? 

Disappointing experiences — investments that don’t pay off as well as anticipated —  could sour leaders on future investments. And expectations for measurable returns on cyber investments are higher than ever.


While you should base funding decisions on your own particular set of risks and needs, cyber investment strategies aren’t necessarily intuitive. Consider pursuing these four cyber investment strategies, which may vary from conventional practices.

1. Use cyber initiatives to help create and sustain value, rather than simply protecting value.

Cyber investments frequently are defensive and reactive. While many organizations remain focused on value protection, there’s an evolving need for value creation. Partner with leadership to help accelerate your digital transformation in a way that helps reduce costs or grow revenue, and lets you simultaneously stay abreast of evolving threats.

In our experience, 30-40% of your cyber investments should be spent on protection, about 30% on detection and about 30% on response and recovery. This balanced approach to investment should inform how you should prioritize your investments, and why. It’s a good approach for talking to management teams about the decisions that you’ve made.
This is one of the reasons that PwC created the secure enablement journey, designed to unlock business value either through cyber-led or cyber-embedded initiatives. Organizations beginning this journey are focused on improving the customer/employee experience, increasing revenue and enhancing cost management. In PwC’s 2022 Global Digital Trust Insights survey, more than half (55%) of the CEOs chose bigger-picture, growth-related objectives from their security team, as opposed to narrower, shorter-term expectations of defense and control.

Question: Which of the following best describes how you/your CEO frames the cybersecurity mission to your organisation? Base: Non-CEO Respondents: 2,929; CEO Respondents: 673. Source: PwC, 2022 Global Digital Trust Insights, October 2021.

2. Don’t let technology solutions determine your investment strategies.

Buying individual products or solutions without having a big-picture plan for their use could result in a hodgepodge of tools. Some tools could have redundant functions, fail to sync together properly, or fail to provide adequate coverage, potentially resulting in a waste of time and money. 

Your big-picture plan should address how your investments:

  • Help ensure coverage of your biggest risks and mitigate major gaps;
  • Build the capability and agility to fight the next, potentially unknown, threat; and
  • Directly link to key business outcomes.

For example, companies typically buy separate solutions for consent management, preference management and authentication. Instead, they should treat consumer identity and access management (CIAM) as a critical component of enhancing customers' experience.

CIAM vets and verifies user identity to help secure applications and devices, but some CIAM solutions also provide a comprehensive view of your customers’ preferences and online behaviors — letting you personalize digital experiences, reduce irrelevant communications and improve customer interactions. The most sophisticated CIAM offerings provide a full range of consumer services, including privacy protection, data collection and data analytics as well as identity verification, anti-fraud features and more. These help solve a host of business problems, inspire trust in your brand and boost efforts to increase revenue.

In another example, zero trust is often sold as a solution but it is more accurately understood as a principle of “never trust, always verify” informing the security architecture and program. Security based on zero trust relies on an interconnected system of security solutions and practices encompassing the entire digital landscape — computing devices, the internet of things (IoT) and other endpoints. It applies to the entirety of networks, including planning, design, maintenance, and ongoing monitoring, to ensure trustworthiness by continually contextualizing users, devices and other elements. Consequently, when building your zero-trust architecture, it’s essential to keep focused on the end game. If you buy individual products or solutions without having a big-picture plan, you could end up with a hodgepodge of mismatches that won’t work together — no solution at all, and a waste of time and money. 

As you evaluate your cyber tech stack, don’t be afraid to turn off old cyber tech that can cause extra noise and complexity — it serves as a potential entry point for attacks and can create busywork for security professionals who are already addressing greater threats.

3.  Take a data-driven approach to investment.

When it comes to cyber investments, there’s no one-size-fits-all strategy. Don’t be driven by fear, uncertainty and doubt. Your organization can benefit from programs and processes specifically designed to address your security needs, regardless of what competitors do, or which technologies attract the most attention. 

But fewer than one in three of the respondents to PwC’s 2022 Global Digital Trust Insights survey say they’ve integrated analytics and business intelligence tools into their operating model to make decisions about cyber investments and risk management. These respondents scored lowest in their ability to turn data into insights for cyber risk quantification, threat modeling, scenario building and predictive analysis — all critical for smart cybersecurity decisions.

Cyber risk quantification helps companies take a systematic approach to assessing new threats. For example, it enables an acquisitions-oriented company to evaluate deal opportunities more quickly and more systematically. A financial institution can assess threats and vulnerabilities daily or weekly to protect millions of transactions a day and stay alert to whether their controls are effective.

4.  When embarking on cloud adoption, focus on shared responsibility. 

Companies often don’t reach their full potential on cloud investments because CISOs and risk leaders frequently fail to collaborate effectively. In fact, while 56% of leaders view cloud as a strategic platform for growth and innovation, 53% of businesses say they have yet to realize significant value from their investments in the cloud, according to PwC’s US Cloud Business Survey.  

When shifting from an on-premises system to a cloud-based system, you should reevaluate your existing policies and procedures to determine whether your existing expectations apply to the cloud environment, and which adjustments may be needed to accomodate the shared-responsibilities model. 

Your cloud strategy should align with your business strategy. So your investment should be large enough and appropriately focused on areas like change management and developing new processes. Otherwise, you can anticipate a subpar ROI.

It’s a reality that is becoming clear to security leaders: 48% of CIOs said that cloud cybersecurity tops their list of cloud capabilities they’re prioritizing over the next 12 months, according to PwC’s 2022 Global Digital Trust Insights survey. A well-planned cloud security program can accelerate your migration to the cloud. You should design your program when you begin planning your move to the cloud, or even earlier.

Bottom line

Don’t fight yesterday’s battles or buy solely to address today’s challenges. Instead, create solutions that fit into your long-term vision and strategy, even during break-glass moments. 

By doubling down on shoring up the foundation — repairing issues, strengthening perimeter protection, disabling unneeded, risky services — you allow security professionals time to move towards a reset.  

Cloud security, security awareness training and cross training security operations, endpoint security, and real-time threat intelligence capabilities are the top priorities for future cyber investments, given the persistent threat of cyberattacks, according to our survey. 

While awareness about these priorities is increasing, some organizations have coverage gaps to address: Cyber transformations are either keeping pace with digitization or lagging behind at most (63%) of the companies that responded to PwC’s US Digital Trust Insights Snapshot Survey.

Readiness to respond to today’s cyber threats isn’t enough. Take advantage of advancements in automation, analytics and AI to focus your resources on the greatest vulnerabilities. Build a sustainable strategy that leverages more innovative technologies. Cyberproofing for the future requires you to invest in essential capabilities that provide the agility to respond to the next generation of threats.

How can we help you build trust in this era of disruption?

Cybersecurity and Privacy solutions

Learn more

Read more from our Cyber team

PwC’s Cyber & Privacy Innovation Institute

Learn more

Next and previous component will go here

Follow us