How much is enough? How to build a targeted and sustainable cybersecurity budget

How much is enough? How to build a targeted and sustainable cybersecurity budget

Ensuring cybersecurity investments align with the business’ goals is a key element of success, however, managing the two simultaneously can be extremely challenging. Kev Eley, Vice President Sales, Europe at LogRhythm, explores what the right amount of cybersecurity is in order to mitigate priority risks and offers his best practice advice for achieving a targeted security budget for growth.

Historically, the fear of cyberthreats put organisations and their security operations teams on the defence. So much so, they still strive to design security plans that try to protect every part of their infrastructure. 

With the overwhelming number of systems for organisations to protect and the growing cyberthreat landscape, the ‘more is better’ model, although logical at the beginning of the cybersecurity battle, is simply no longer sustainable.

According to Statista, spending on global Digital Transformation is projected to reach US$1.8 trillion by the end of 2022 and by 2025, it’s forecast to reach US$2.8 trillion. Today’s IT environments are continuously expanding as organisations adopt new technologies while also running existing legacy systems. On top of this, more organisations are now exploring the option of adding Internet of Things (IoT) capabilities to their operations.

Unless organisations are armed with a huge cybersecurity budget and unlimited resources to manage all applications, keeping up with the continual and accelerating change in the technology environment won’t work. Organisations need to readjust the ways they are distributing their cybersecurity budgets to realise greater efficiencies.

A new approach from CISOs

The cost of having well-trained analysts onsite 24×7 outweighs the benefits for almost every organisation. CISOs must take a more targeted approach when planning their cybersecurity budget. This will help them achieve a ‘risk optimisation’ process to ensure cybersecurity investments are guided by business outcomes.

Cyber risk optimisation is about understanding threats, priorities and business investments and using these insights to design a cybersecurity strategy that takes on the correct amount of risk. Aligning the cybersecurity policy with business objectives allows for the strategic funding of security operations resources.

With this approach, organisations can create a proactive cybersecurity and risk optimisation programme that helps answer the question: What is the right amount of cybersecurity to mitigate the priority risks? Organisations must consider the following factors to achieve a targeted security budget for growth.

Moving away from the ‘more is better’ cybersecurity model

The rapid expansion of the cyberthreat landscape, combined with limited resources, has fuelled the need to rethink cybersecurity programmes.

Gartner estimates that cybersecurity spending in 2021 totalled approximately US$150 billion, up more than 12% from 2020. Yet, despite the higher investments, in cybersecurity, cyberattacks keep growing in number and advancing in complexity.

Most organisations acknowledge the need for a Security Operations Centre (SOC), but they are unsure about the implementation costs. Using a risk optimisation approach, organisations can discover how to build a SOC with limited resources.

A hybrid SOC (combination of employees and outsourcing) is the just-right solution for many organisations that cannot justify the cost of a formal SOC and cannot tolerate the inadequate protection provided by an informal SOC. A hybrid SOC that finds a balance between people, processes and security information and event management (SIEM) technology achieves immediate and ongoing cost savings, compared to adopting any other SOC model.

Companies need to pivot and learn how to maximise cybersecurity spending in an era of costly cyberattacks. While the actual costs of deploying necessary security policies are measurable, the cost to an organisation’s reputation once victim to a successful data breach is priceless. Cybersecurity needs to be a top priority for organisations to overcome the risk of suffering a damaging attack.

Aligning cybersecurity priorities and investments with business goals

The days of relying solely on security and IT teams for cybersecurity decisions are gone. After all, business stakeholders know their business’ privacy, data protection and regulatory risks better than anyone and should be invested in the cyberthreat conversation.

CISOs understand the top security concerns of key business stakeholders, business objectives, critical business areas and the systems and networks that support those areas informs an organisation’s cyber programme. This knowledge connects security initiatives with business outcomes and ensures a robust security posture that manages the biggest threats to the organisation.

The cyberthreat game board is changing all the time and CISOs are working hard to keep up with shifting priorities. Discussing business outcomes instead of security tactics helps CISOs align with stakeholders on business goals. An outcome-based discussion assists with fine-tuning the programme to ensure the right amount of cybersecurity investment needed for budgeting costs efficiently.

Starting the cybersecurity conversation

Once business priorities are driving key cybersecurity decisions and IT risk mitigations are rolled into those decisions – but not the primary driver – the cybersecurity conversation takes on a more executive-level role.

In other words, once a risk optimisation approach is taken, security leaders are given a seat at the table. This allows them to educate and inform their colleagues, shifting the organisational mindset to cybersecurity as a business solution.

With security priorities becoming interdependent on business priorities, there’s a solid argument that cybersecurity leaders should report to the CEO to gain the organisational influence required to do the job.

CISOs need to be ready to talk about spending priorities and budget decisions based on an understanding of cyber risk related to the organisation’s security needs. This will inform C-suite executives with the insight they need to understand where their cybersecurity budget is best placed.

Budgeting for better outcomes

The rise of new and more sophisticated threats demonstrates that organisations need to move to a more targeted approach when it comes to allocating their security budget. In addition, as organisations harness greater levels of digital adoption, it is becoming increasingly harder for security teams to ensure that every single aspect of their company’s operations are properly secured.

By taking a targeted approach to building a cybersecurity budget, organisations can achieve a greater return on investment and ensure they are adequately protecting the aspects of their business that require protection. This risk optimisation approach takes the pressure off security teams while enabling CISOs to align cybersecurity priorities with business goals. Through building a targeted budget, organisations can achieve immediate and ongoing cost savings and secure a sustainable future for their cybersecurity.

Browse our latest issue

Intelligent CISO

View Magazine Archive