Budgets Fall Short of Cyber Resilience
Cyber resilience is not getting enough of organizations’ IT budgets. Until that changes, the onus will be on security executives to make every dollar count.
- Insufficient allocations for cybersecurity spending are a problem in almost every industry, according to a 2022 Mimecast survey.
- The perceived budgetary shortfall is worst in retail, distribution, and transport companies. Healthcare and financial services companies are also high on the list of under-spenders.
- Security executives should develop clear priorities and put the funds they do have to the best possible use — while continuing to make the case to close any shortfalls.
How big a budget should an organization have for cybersecurity? Bigger than it generally is, according to Mimecast’s recently released State of Email Security report. The report shows a marked increase in concern among security professionals that their companies aren’t investing heavily enough in this area of IT.
Across all sectors, cybersecurity now represents 14% of the average company’s IT budget. On the one hand, that is just a few percentage points below where cybersecurity professionals think these investments should be. On the other hand, there’s growing anxiety about the adequacy of these expenditures. 36% of participants in this year’s report say their cybersecurity budgets are too small. Last year, the proportion expressing this concern was much lower, at 27%.
Without adequate budget, nearly half of companies (49%) are missing out both on new cybersecurity innovations and on improvements to their existing systems. Almost as many say they can’t invest as much as they’d like in cybersecurity training for existing staff (46%) and in hiring new cybersecurity staff (43%).
Some broader cybersecurity budget trends offer hope that the needed spending is coming. A separate survey from the Gartner market research group shows that two-thirds of IT leaders plan to increase their cybersecurity budgets in 2022.
Cybersecurity Budgets as a Percent of IT
There is no absolute answer to the question of how much to spend on any area of IT — cybersecurity included. The optimal amount of cybersecurity spending depends on the sector an organization is in, on how likely it is to be a target of bad actors, and on how much its operations would be impacted by any kind of attack, whether email-borne or carried out otherwise.
But in an area like cybersecurity, where executives are much more likely to end up in the spotlight for doing something wrong than for doing something right, there is some comfort in knowing that one is at least in the same spending range as one’s peers.
The picture created by the Mimecast survey shows modest differences between actual cybersecurity budgets and best-practice perceptions. On average, respondents in the 10 sectors Mimecast looked at say that 17% of an IT budget should be devoted to cybersecurity. The ideal percentage is set highest (19%) in the business and professional services sector and lowest (15%) in the public sector.
But almost no sector is at the level of cybersecurity spending it regards as optimal. (See chart.) The one exception are companies in IT, technology, and telecom, where the average spending is in line with what’s needed, according to the sector’s security professionals. The relatively heavy spending on cyber resilience in this sector could be a function of these companies being favored targets — both because of their visibility and the bragging rights that come from taking them down.
How to Create a Cybersecurity Budget
A self-analysis should be an organization’s first step in determining its cybersecurity budget. To be sure, this should include an outward glance at what organizations in the same industry — and of a similar size — are spending. But benchmarks of other organizations’ internal spending are always somewhat imprecise, and in the case of cybersecurity, should mostly be used to get a rough initial idea of where an organization might want to end up.
Here are key considerations in budgeting for cyber resilience:
- Regulatory requirements: Some organizations operate in industries that have specific compliance standards — such as the privacy requirements in the Health Insurance Portability and Accountability Act (HIPAA) — or face broader regulation from national or state governments. There are choices about how to meet these requirements, but no choice about whether to do so.
- Competitive pressures: If a company is starting to lose business to rivals that do a better job of safeguarding customer data, the trailing company’s hand may be forced. In this case, certain investments aimed at cyber resilience become a kind of table stakes.
- IT risk analysis: Here is where budgeting gets the most detailed and organization-specific. Experts say organizations should look at each of their IT assets and assess them for their level of vulnerability, as well as for their importance to the business. For one organization, it could make sense to put more safeguards around an enterprise resource planning (ERP) system than an e-commerce system. For another, the opposite might be true.
- Input from internal and external stakeholders: Security breaches are emotionally jarring and very disruptive to an organization. Even the impression that some aspect of an organization’s systems isn’t secure can have an impact on operations. The concerns can come from a line manager, from board members, or from customers. This input should inform the cybersecurity department’s decision-making.
- Integration: Most organizations are looking to integrate their many cybersecurity systems to get more out of the dollars invested in cyber resilience. Eight out of 10 (83%) say they prefer to use security platforms that include open APIs, enabling broad connections among cybersecurity tools. The consensus view is that this type of integration could net an average 15% gain in their security teams’ efficiency.
- Advanced technologies: Artificial intelligence and machine learning are helping some organizations do a better job with threat detection and with speeding up their remediation response times. IT, technology, and telecom companies make the most use of AI/ML for security purposes today, Mimecast’s survey shows. Nearly two-thirds (63%) of companies in this sector are currently using these advanced technologies, compared to 46% across all sectors.
The Bottom Line
Cybersecurity budgets today are lower than security executives would like. By doing a careful analysis of their IT assets, focusing on certain “must-haves” and finding efficiencies, cybersecurity executives can cover their priorities and maximize the impact of each dollar they spend.
 “Composable Business Is Driving Investing Choices for the Year Ahead,” Gartner
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!