Securing the future: Cyber security readiness report
Chapter 7: Constrained budgets
Investing in the right security solutions and the best talent might seem like an obvious strategy for addressing cyber security challenges. But insufficient cyber security funding remains an issue for many businesses. The good news? The more that executives become aware of security issues, the more they will support investments in cyber security. And if they adopt the right approach to security, they can make those investments go a long way.
Many organizations are already spending heavily on security. They carve out large percentages of their total IT budgets to buy new security solutions and hire personnel. Research shows that 53% of organizations spent between 11 and 20% of their entire IT budget on cyber security in the past year. Another 28% of organizations spent at least 20% — a fifth of their budget.
It might seem like larger organizations — with larger, more complex networks to defend — should be spending a greater portion of IT budgets on cyber security than small or medium-sized organizations. But the difference in spending between large organizations and everyone else is not huge. In our survey, more than a third (35%) of large organizations spent more than a fifth of their entire IT budget on security solutions and staffing. But 26% of medium-sized and small organizations spent a similar portion of their IT budgets.
Spending does vary according to industry. Our survey found that healthcare, transportation, and financial services organizations spend the most for cyber security. Yet businesses in these industries are not necessarily better prepared, at least according to their own estimation. In our survey, only 16% of respondents in healthcare reported that they are sufficiently prepared to handle security threats.
Cyber security budgets should increase in the future. Two thirds (67%) of survey respondents expect bigger budgets in the next 12 months. These respondents anticipate substantial budget increases of between 11 and 20%. Another fifth (22%) of respondents expect to maintain their current level of expenditures on cyber security.
Businesses in fields that are already spending more will continue spending more in the future. Survey respondents from financial services, healthcare, and transportation companies all anticipate higher spending. Meanwhile, respondents from industries such as retail and manufacturing, which might be affected by inflation or other economic trends, expect reductions in cyber security budgets.
Why will budgets expand for some businesses? The increasing rate and severity of cyber security incidents are key reasons. Leadership teams should always evaluate cyber security budgets in light of their organization’s risk profile and risk tolerance: Not all risks just justify large investments. But a growing number of organizations have faced large-scale attacks that have resulted in huge financial losses — including losses from regulatory fines, lawsuits, remediation efforts, and lost business due to damaged reputations. For many leadership teams, these events surpass a level of acceptable risk: Leaders realize they must step up their investments.
Of course, not all investments deliver equal benefits. For example, to make the most of their cyber security budgets, organizations must still avoid the pitfalls of point solutions, which can incur high acquisition and management costs without delivering adequate protection.
Unless teams rethink legacy security strategies, even the largest investments are likely to be insufficient. As Cloudflare Chief Security Officer Grant Bourzikas writes: “When I was the CISO of a large global bank, we had a billion-dollar budget and 1,500 employees for security. But even those resources weren’t enough to harden security and sufficiently protect the business from evolving threats.”
Whatever budget is available, security leaders will need to ensure that they are investing in approaches that will have the greatest impact. For most organizations, implementing a single, unified security platform is the best approach. By unifying security, they can address a wide range of security threats while avoiding the complexity of numerous point solutions and the challenges of an ongoing talent crunch. Organizations can bolster preparedness while enhancing operational efficiency.
Continue to Chapter 8: Competing priorities in advancing preparedness
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
Key takeaways
After reading this article you will be able to understand:
Survey results from over 4,000 cyber security professionals
New findings on security incidents, preparedness, and outcomes
Considerations for CISOs to secure the future and achieve better outcomes for their organization