Median IT security budgets have more than tripled—to $5.3 million in 2022 from $1.4 million in 2018—leading to a significant increase in the cost of combating cybersecurity threats over the past five years.
These were the results of a Hiscox survey , which also revealed nearly a quarter (23%) of IT security budgets are now dedicated to cybersecurity, up from just 10% five years ago.
Meanwhile, the percentage of organizations with cyberinsurance has risen sharply, to 64% from 41% percent in 2018.
Despite the rise in overall budgets and the increasing share of cybersecurity investment, the number of companies without a dedicated cybersecurity role is still at 16%, the same as it was in 2018.
Piyush Pandey, CEO at Pathlock, said one could argue that 16% shows a distinct minority, but given the high-profile attacks and data loss the industry sees regularly, it’s surprising as well.
“I think it suggests that organizations are still struggling to identify the proper resources internally to staff the roles required for effective cybersecurity and compliance programs,” he said.
He added that organizations need a plan and strategy for securing the company’s most important assets that are in line with their business objectives.
He said part of this plan also needs to outline the “cost of doing nothing”—the impact of a breach or data loss—that essentially becomes their “why” from the outset.
“Within the C Suite, the CIO, CFO and, ultimately, the CEO are going to be major stakeholders,” Pandey explained. “Cybersecurity leaders should also closely align with the line-of-business leaders who are running the core business applications—ERP, financials, HR, supply chain, CRM—housing the critical data which often ends up being the company’s most important asset to protect.”
These line-of-business leaders must be involved to ensure the proper access strategies to enable the business and meet security and compliance requirements for controls and configurations.
John Anthony Smith, CEO of Conversant Group, said it is critical that CISOs and IT have the right information to present to CEOs and the board so that they understand in clear and emphatic terms both the risk that exists in the environment and the true consequences of ignoring that risk.
“Every department wants more budget, but if CEOs understand the threat environment and the dire financial and business consequences of breaches in no uncertain terms, most teams can get the budget required,” he explained.
However, IT does need to understand the right information to present, and that often requires that they make an upfront investment in getting a controls and configurations-based assessment first.
“That way they can alert senior leadership to the real risks they are taking if they choose inaction,” Smith said. “These proactive assessments also let smaller firms, or those with lesser budgets, know their greatest risks so they can prioritize both their investments and remediation steps.”
Jasmine Henry, field security director at JupiterOne, explained the most exceptional cybersecurity practitioners are intentionally using their budget on investments that provide value to multiple teams across the organization.
For example, an application that can unify cybersecurity insight by integrating data from cloud service providers (CSPs) and security monitoring tools may offer alerts or dashboards that are valuable for engineering, product or leadership teams.
“Leaders can secure buy-in for security initiatives and future budgets by ensuring investments offer value to the organization,” she said. “Intentionally cross-functional systems are another sign of the evolution of shared security responsibility.”
Henry said being intentional about collaboration is essential for cybersecurity leaders to navigate organizational shifts toward trends such as platform engineering and anything-as-a-service (XaaS).
Pandey said his firm is seeing more and more organizations increasing their budgets around the testing, monitoring and enforcement of their controls, such as application access and application security configurations.
“With proper access governance and application security controls, the potential risks for cyber breach or data loss are significantly reduced,” he explained.
Smith said because budgets are tighter with the current economic downturn and layoffs abound across many sectors—offset against an escalating cyberthreat environment brought on by international tensions—budgets need to be allocated in a more targeted fashion.
“In other words, they need to be spending their dollars smarter, and that applies to companies of all sizes,” he said. “Instead of buying new tools and slapping them on the pile hoping they work together, they must understand where their true gaps lie and allocate spend to fixing those weaknesses.”
From Smith’s perspective, CISOs, IT teams and security directors will never gain adequate budget for security without being able to concretely explain the current risks the organization faces in terms the C-suite can understand—dollars and cents.
“Breaches are costly,” he said. “We see breaches that can cost millions an hour in downtime, and that’s just one cost item.”