Cybersecurity is worth the investment
As earnings season approaches, organizations face a constant battle between growth and efficiency. It’s a back-and-forth pendulum swinging between macro changes, business outcomes, challenges and success. Companies are constantly asking themselves whether they should accelerate marketing spend, look for ways to cut costs and assess whether their current budget is effectively focused on delivering an adequate return on investment (ROI). Typically, boardrooms and leadership teams view G&A systems as overhead—a cost element needed to mitigate risk and meet compliance standards, rather than a cost element that generates returns.
Companies often have relatively large IT and security budgets, but only a handful of people in the organization typically know how that budget is actually being used. Unfortunately, even fewer can truly identify the ROI of each component of the stack that makes up that budget. For companies trying to determine an appropriate cybersecurity budget, thinking about ROI should not be an afterthought, but a starting point. Spending $100,000 a year may feel like a lot, but if it prevents $1 million in annual cyberattack losses, it is a good investment.
Why Cybersecurity Is Immune to Recession
Businesses of all sizes are susceptible to cyberattacks, regardless of how many layers of defense they have in place. According to research from Harvard Business Review, organizations with 10,000 or more employees typically maintain nearly 100 security tools, yet even established global companies continue to fall victim to cyberattacks. The unfortunate truth is that it’s simply not possible to stop 100% of attacks. As a result, most organizations are starting to shift their thinking from prevention to a focus on limiting the potential damage an attack can cause and better understanding where their real vulnerabilities lie.
CIOs, CISOs, and the rest of a leadership team are ultimately responsible for protecting their company’s assets. Organizations spend millions of dollars on cybersecurity each year, as the total security market heads toward $300 billion in total addressable market (TAM). With this in mind, CISOs are looking for more budget flexibility to ensure they’re meeting their company’s goals. As cyberattacks increase in number and sophistication, too many CISOs are still struggling to answer basic questions about whether their company is safe and how well their assets are truly protected.
To answer these questions accurately, CISOs must be able to continuously measure and demonstrate cyber effectiveness to leadership. They must illustrate risks, validate controls, understand exposures mapped to security frameworks, and rationalize security spending while managing costs. The good news for security teams? Cybersecurity will always be critical to businesses. Even in lean times, businesses will always need to invest in cybersecurity solutions to keep their data and other assets safe. As long as security teams can use data to justify which solutions are essential to their operations, cybersecurity is effectively recession-proof.
Creating a Cybersecurity Budget Game Plan
With the Security Exchange Commission’s (SEC) recently introduced reporting requirements to address cyber incidents, registrants must disclose on the new Item 1.05 of Form 8-K any cybersecurity incident that the SEC considers material. Companies must also describe the material aspects of the nature, scope and timing of the incident, along with its impact on the registrant. The Form 10-K and Form 20-F disclosures are required to be filed beginning with annual reports for fiscal years ending on or after December 15, 2023. The Form 8-K and Form 6-K disclosures are required to be filed beginning with the later of 90 days after the date of publication in the Federal Register or December 18, 2023.
This information doesn’t just magically appear, and to gather it, you need the right tools to not only detect potential security incidents, but also to effectively document both the attacker’s path and the organization’s mitigation efforts. That means it’s critical for organizations to have complete visibility into their digital environments, with continuous monitoring capabilities that can detect and document changes as they happen. This continuous visibility and monitoring capabilities not only allows companies to adhere to new compliance guidelines, they also help provide a solid foundation upon which to build a successful cybersecurity program. By effectively mapping their digital environments and testing them for known vulnerabilities, organizations can gain a more accurate picture of their unique risk profile and better understand the steps they need to take to improve their security posture.
In practice, this means that leaders should first take inventory of their data assets and their value to the business. Then, they should consider what they need to do to comply with industry regulations that may apply to their business, such as healthcare’s HIPAA or the European Union’s General Data Protection Regulation (GDPR). Do they need new solutions to provide greater visibility? Stronger endpoint protections? Expanded identity management capabilities? Once they have a good understanding of what their goals are and the steps needed to achieve them, leaders should look at their company’s overall IT budget. If what a business needs is about 20-25% or less of your overall IT budget, then you probably have a useful number to start with. Once that’s done, it’s time to dive deep into assessing and verifying what’s working and what’s not having an ROI. Just because a company is spending money doesn’t mean it’s spending it in the right places.
Tailoring security to the company
Much of this responsibility falls on the shoulders of the CISO or CTO, and they must be able to effectively present and demonstrate their case to the CFO, COO, CEO, and other stakeholders. Since most business leaders tend to think in terms of how their decisions impact the company’s bottom line, it’s important to be able to articulate the ROI of cybersecurity investments. Whether those returns come in the form of eliminating redundant solutions, streamlining security processes, or preventing costly breaches, framing things in a business context is the most effective way to ensure security leaders and business decision makers can align on their initiatives.
We have listed the best cloud antivirus programs for you.
This article was produced as part of TechRadarPro’s Expert Insights channel, where we showcase the best and brightest minds in the technology sector today. The views expressed here are those of the author and do not necessarily represent those of TechRadarPro or Future plc. If you’re interested in contributing, you can read more here: