Security

Budgeting for cybersecurity takes careful consideration

The risks are increasing, but budgets aren’t keeping up.
article cover

Francis Scialabba

· 5 min read

All of these folks are likely in for a rough career patch in the coming year: SBF’s public relations team, the poor schmuck who has to tell Elon Musk he’s wrong about something, and the CFO who shorts the cybersecurity budget at a time of increased cyber risk.

While there’s not much anyone can do to help the first two, CFOs can take a proactive, thoughtful approach to effective cybersecurity budgeting to help protect themselves and their organizations.

But that’s easier said than done. Recent research suggests that cybersecurity budgets are lagging behind both the increase in cybersecurity attacks and the rise of cyber insurance costs. 

Main squeeze. This gap is likely to continue as organizations face significant cost-cutting pressure in this uncertain economic climate. Compounding the challenge of creating effective cybersecurity budgets is that calculating the ROI of cybersecurity investments is like trying to prove a negative.

“I think the squeeze on budgets means it is even more important than before to make sure you’re confident in the value of your spend,” said Casey O’Brien, director of cybersecurity at S-RM, a cybersecurity consultancy based in London.

But if there is one place that companies shouldn’t cheap out, it’s investing in cybersecurity protection, according to Joel Lanz, professor of accounting at SUNY Old Westbury.

“To me, cyber is what enables us to do business,” Lanz told CFO Brew. “What it’s not is, ‘Let’s just give it to the IT people.’”

It’s getting worse. The last two years have been rough for cybersecurity and keeping up with the evolving threat landscape is expensive and laborious.

The shift to remote work, worsening relationships with malevolent state actors, the evolution of ransomware, and increased dependence on cloud services have contributed to a significant rise in cyberattacks over the past two years. And the problem is accelerating, with a 42% increase in weekly attacks globally just in the first half of 2022, according to Check Point’s 2022 Mid-Year Trends Report.

“The key thing to focus on there is that the threat landscape is not static,” O’Brien said. “The cyberthreats that you identified five years ago, the chances [are] now, in 2022, your responses are out of date, and you’ve got to do it all over again.”

Slash and burn. However, cybersecurity budgets may not be keeping pace with the threats, according to a recent S-RM survey. The report found that while cyber budgets were up 5.2% over the last 12 months, “without further commitment to cyber spend, it’s unlikely that security teams will be able to keep pace with their adversaries.”

News built for finance pros

Navigate the constantly evolving world of global finance with our twice-weekly newsletter.

There are signs that that commitment might be lagging. A September release by Fitch Ratings found that underfunded cybersecurity budgets pose an increased risk to businesses in 2023. A Information Systems Audit and Control Association (ISACA) report found that only 42% of cybersecurity professionals felt their organization’s cybersecurity budget was adequately funded.

Now, with CFOs focusing on cost-cutting in the face of a potential recession, cybersecurity budgets might be at further risk of reduction.

“Even budgets for cybersecurity aren’t sacrosanct,” said Gerry Glombicki, senior director at Fitch Ratings. “They are subject to cuts and reductions as well.”

Balancing act. Glombicki, O’Brien, and Lanz all agreed that the first place for businesses to start improving the efficiency of their cybersecurity spend is a thorough and honest cyber-risk assessment. “And rather than try to answer everything ‘yes,’ go with the spirit of what the question is trying to get at,” Lanz said.

That means analyzing and understanding who has access to company systems, what technology and equipment the company owns and where it physically is located, crafting a cyber incident response plan, and weighing the costs of a breach, according to Glombicki.

Even more important is having a clear understanding of how cybersecurity supports and propels business goals and value drivers, Lanz added.

“We need to figure out what’s the right balance for what we are trying to accomplish and from that, we need to be honest with our risk appetites,” he said.

Organizations looking to stretch their cybersecurity dollars should also be wary of “shiny new object” syndrome. Every organization has different cybersecurity risks and needs and there is no technological “silver bullet,” O’Brien told CFO Brew.

“It’s not just [saying], ‘Great, we splash on the shiny new toy and we close our eyes and hopefully that resolves all our cybersecurity security issues for next year,’” he said. “It’s really making sure that every penny you spend is appropriate for your organization’s risk profile.”

Bottom line. Strengthening relatively low cost, basic cybersecurity protections—like multifactor authentication, end-to-end encryption, anti-malware software, access management, and patch management—will go a long way in stretching cybersecurity investment dollars, Glombicki said.

And, while such moves won’t fill all the security holes, doing those five things well can create a lot of stability, he added.—DA

News built for finance pros

Navigate the constantly evolving world of global finance with our twice-weekly newsletter.