Cybersecurity is worth the spend

A dark figure in a hoodie representing a hacker.
(Image credit: Shutterstock)

With earnings season approaching, organizations face a constant battle between growth and efficiency. It’s a back-and-forth pendulum that swings through macro changes, business results, challenges, and success. Businesses are continuously questioning whether they should accelerate marketing spending, look for ways to cut costs, and gauge whether their current budget is effectively geared toward driving an appropriate return on investment (ROI). Typically, across board rooms and leadership teams, general and administrative (G&A) systems are thought of as overhead: a cost element needed to mitigate risk and meet compliance standards, rather than one that generates a return.

Businesses often have a relatively large IT & security budget—but only a handful of people in the organization typically know how that budget is actually used. Unfortunately, even fewer can truly identify the ROI from each part of the stack compiling this budget. For businesses trying to set an appropriate cybersecurity budget, thinking about ROI shouldn’t be an afterthought—it should be a starting point. Spending $100,000 per year may feel like a lot—but it’s a good investment if it prevents $1 million in annual cyberattack losses.

Roei Khermosh

CFO, Cymulate.

Why cybersecurity is immune to recession

Companies of all sizes are susceptible to cyberattacks, no matter how many layers of defense they have in place. According to research from Harvard Business Review, organizations with 10,000 or more employees typically maintain almost 100 security tools—but despite this, even well-established global companies continue to be victimized by cyberattacks. The unfortunate truth is that it simply isn’t possible to stop 100% of attacks. As a result, most organizations are beginning to shift their thinking away from prevention and toward a focus on limiting the potential damage an attack can cause and better understanding where their actual vulnerabilities lie.

CIOs, CISOs, and the rest of a leadership team are ultimately responsible for protecting their company’s assets. Organizations spend millions of dollars on cybersecurity annually, as the overall security market is heading towards $300B in total addressable market (TAM). With this in mind, CISOs are seeking more budget flexibility to ensure they are meeting their company’s goals. As the number of cyberattacks increases and these attacks become more sophisticated, too many CISOs still struggle to answer basic questions about whether their company is secure and how well protected their assets actually are.

In order to accurately answer those questions, CISOs need to be able to continuously measure and demonstrate cyber effectiveness to leadership. They need to illustrate risk, validate controls, understand exposures mapped to security frameworks, and rationalize security spend while managing costs. The good news for security teams? Cybersecurity will always be critical for businesses. Even during leaner times, businesses will always need to invest in cybersecurity solutions to keep their data and other assets secure. As long as security teams can use data to justify which solutions are essential to their operations, cybersecurity is effectively recession-proof.

Establishing a cybersecurity budget gameplan

With the recently launched reporting requirements by the Security Exchange Commission (SEC) to address cyber incidents, registrants must disclose on the new Item 1.05 of Form 8-K any cybersecurity incident that the SEC determines to be material. Companies must also describe the material aspects of the incident's nature, scope, and timing, along with its impact on the registrant. The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. The Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023.

This information doesn’t just magically appear, and gathering it requires having the right resources in place to not just detect potential security incidents, but effectively document both the course plotted by the attacker and the mitigation efforts engaged in by the organization. That means it is critical for organizations to have full visibility across their digital environments, with continuous monitoring capabilities that can detect and document changes as they occur. These continuous visibility and monitoring capabilities don’t just allow businesses to adhere to new compliance guidelines—they also help establish a solid foundation upon which to build a successful cybersecurity program. By effectively mapping out their digital environments and testing them for known vulnerabilities, organizations can have a more accurate view of their unique risk profile and better understand the steps they need to take to improve their security posture.

In practice, this means leaders must first take inventory of their data assets and their value to the company. Next, they should consider what they need to do in order to comply with industry regulations that may apply to their business, such as healthcare’s HIPAA or the European Union’s General Data Protection Regulation (GDPR). Do they need new solutions to enable additional visibility? Stronger endpoint protections? Expanded identity management capabilities? Once they have a firm understanding of what their goals are and the steps needed to accomplish them, leaders should look at what their company’s overall IT budget is. If what a company needs is about 20-25% or less of your general IT budget, then you probably have a useful figure to start with. Once that’s completed, it’s time to deep dive into assessing and verifying what’s working and what does not have any ROI. Just because a company spends money does not mean that money is being spent in the right places.

Aligning security with business

This responsibility will largely rest on the shoulders of the CISO or the CTO, and they will need to be able to effectively state and demonstrate their case to the CFO, COO, CEO, and other stakeholders. Given that most business leaders tend to think in terms of how their decisions impact the business’s bottom line, it is important to be able to properly articulate the ROI that cybersecurity investments can have. Whether those returns come in the form of eliminating redundant solutions, streamlining security processes, or preventing costly breaches, framing things in a business context is the most effective way to ensure security leaders and business decision makers can align on their initiatives.

We've listed the best cloud antivirus.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here:

Roei Khermosh, CFO, Cymulate.