From Budget To Breach Prevention: Mastering Cybersecurity Investments

By Kevin Lynch

I was recently at an executive forum and engaged in a dialogue with roughly a dozen peers. The routine introductions broke the ice until I shared that I was in the cybersecurity field. It was then that one of the CEOs said, in essence, “You’re going to make sense of all this for me. All I see is more spend, more apparent threat and my cyber leader speaking technical jargon with no sense of how cybersecurity benefits my bottom line.” The nodding heads around the room confirmed this sentiment was widely shared.

This perspective reflects a growing challenge in the business world. It’s estimated that by 2025, cyberattacks will cost businesses over $10.5 trillion annually, rising 300% from 2015. To combat these threats, nearly 60% of respondents to Optiv’s 2024 Cybersecurity Threat and Risk Management survey said they increased their security budgets, with the average budget for organizations with 5,000 or more employees being $26 million.

Although an increase in security budgets is a positive sign that organizations are taking security threats seriously, money alone won’t keep organizations protected. As an executive, your goal is to make strategic decisions with your security budget that will effectively defend your organization. This requires a nuanced approach that goes beyond simply increasing spending.

A question I frequently encounter from clients and prospects is, “How should I balance investments across prevention, detection and response?” Although well-intentioned, this framing misses the mark. The key isn’t about balancing investments but rather sequencing them strategically. This approach involves a full view of your actual risks, understanding where and when to invest, knowing where you can afford to maintain your existing posture and being clear on where you can consolidate and simplify to create true economic savings.

It’s crucial to develop a framework that links the broadest security categories to the specific controls being affected by a security asset. This is where technical and business language should connect. Use this framework to test if you have a scalable reference architecture based on zero-trust principles. Then align your investments to this framework by control, which will reveal the complexity of your choices to date.

The next step is to ensure your investments are allocated with a maturity model focused on the highest-risk areas specific to your business in the near and medium term. Then use the same maturity model to test less risky areas with a slower rate of investment where sufficiency is acceptable. Finally, challenge each investment on scale, identifying where platforms can play broader roles and provide technology spend leverage. This approach can help shed technical debt and create asset management simplicity, from security domains down to security controls.

This disciplined approach to security spend can bring technical discussions in line with business affordability and imperatives. Importantly, from experience, it often creates economic room to address gaps in your strategy. Many organizations, for instance, find they’ve underprepared for incidents and could benefit from allocating resources to more frequent learning tools and stronger response capabilities. I have confidence that taking the above approach will create some space for that to occur.

But how did we arrive at the current state of affairs? Part of the problem stems from past investment strategies. A top challenge organizations face today is cybersecurity tool overload. Our report also reveals that, on average, organizations use a whopping 54 separate cybersecurity tools. Not surprisingly, 40% of organizations believe they have too many cybersecurity tools to manage. Conversely, 31% of organizations believe they don’t have enough tools. That leaves only 29% who believe they have the right number of cybersecurity tools in their arsenal.

Getting To The Right Number Of Tools

What can executives do to get their organizations into that third camp? Here are a few suggestions.

Sequence investments in prevention, detection and response.

First, approach your cybersecurity budget as a strategic journey. Begin by heavily investing in prevention, focusing on strengthening defenses through firewalls, encryption, access controls and employee training. As these preventive measures mature, gradually shift more resources into detection capabilities, implementing advanced threat detection systems and security information and event management (SIEM) solutions and establishing a security operations center. Finally, enhance your response readiness by developing and testing incident response plans and investing in forensic tools.

Prioritize foundational elements.

Prioritize foundational elements such as internal assessments, governance and identity and access management (IAM). These critical components form the backbone of your security posture. Regular security audits and penetration testing help identify vulnerabilities, and developing and maintaining security policies, compliance frameworks and risk management strategies strengthens your overall governance.

Hire and retain talent.

Don’t overlook the human element. The cybersecurity skills shortage continues to be an industry-wide issue. To get and stay ahead, it’s critical to hire and retain top talent by investing in ongoing training and certifications for your team. Remember, the most advanced tools are only as good as the people operating them.

Optimize your tool stack.

Conduct a thorough inventory of your current tools and their functionalities. Identify any overlaps or gaps in your security coverage, then look for opportunities to consolidate tools, focusing on integrated platforms that offer multiple functionalities. Consider cloud-based security solutions, which can offer cost savings and easier management.

Invest in cyber insurance.

Although sometimes challenging to obtain, cyber insurance can provide crucial financial protection. Invest time and resources in documenting your security practices and incident response plans, as this can help reduce premiums. Consider working with a broker who specializes in cyber insurance to navigate the complex market.

Conclusion

Regardless of where you are in your cybersecurity journey, it’s essential to ensure that your investments are delivering measurable results. Focus on metrics such as time to detect, contain and recover from data breaches. Reduction in time to patch software application vulnerabilities and in data center downtime are also valuable indicators to monitor closely. Remember, the goal isn’t just to spend more on security but to spend smarter, ensuring that every dollar invested contributes to your organization’s resilience and bottom line.