• About
  • Subscribe
  • Contact
Friday, May 9, 2025
    Login
FutureCISO
  • People
  • Process
  • Technology
  • Resources
    • White Papers
    • PodChats
No Result
View All Result
  • People
  • Process
  • Technology
  • Resources
    • White Papers
    • PodChats
No Result
View All Result
FutureCISO
No Result
View All Result
Home Resources Blogs

Spending more on cybersecurity does not up your protection

Paul Proctor by Paul Proctor
February 20, 2023

Photo by Mike B: https://www.pexels.com/photo/gray-scale-photography-of-knight-350784/

Share on FacebookShare on Twitter

Spending a lot on cybersecurity does not mean great protection. Believing otherwise leads to big security budgets and disappointed executives.

Sadly, one of the more popular questions that Gartner gets from our clients is “How much should I spend on cybersecurity?”

“We didn’t spend enough money on that.”

…Spoken by no CFO, ever

Executive business decision-makers do not judge any other part of their business by the amount they spent on it. So why do they do it with security?

One of the biggest mistakes organisations can make is to conflate cybersecurity spend with protection. This leads to big security budgets that have no relationship to better security. And executives disconnected from the reality of how security investment really works.

The problem is created by these seemingly contradictory statements that are both true.

  • Spending a lot on cybersecurity does not mean you have good protection.
  • You will need to make an investment if you want to become better protected.

“Make an investment” may be more money or investment in time and effort to change from an older, less effective process or control to a newer, more effective one. The net may be cost savings, but you still must make an investment to create the change.

I know organisations that spend a ton of money on security and are terribly protected. I also know organisations with very modest security budgets that have created great levels of protection. Basically, money doesn’t equal protection, but the investment is absolutely necessary if you want to become better protected.

It is true that “it all comes back to money.” But in cybersecurity investing, budget approval is only the start. Value is created by spending the money to create protection-level outcomes.

Those outcomes dictate your protection, not the money you spent delivering them. The fact that you bought and implemented some cool stuff doesn’t mean better protection either.

Related:  Cyber attackers target manufacturers in Asia Pacific

When executives conflate the size of the budget with a level of protection, this leads to throwing money at the problem. That’s how organisations end up with big security budgets and poor protection.

Behaviours that reinforce the idea that cybersecurity spending = protection

The following behaviours should be avoided.

Behaviour #1: Treating budget approval as a success

Many CISOs treat getting a budget as a success. They build business cases, money is allocated, creating cybersecurity spending on tools, all of which is reported back to the executives. This pattern reinforces executives’ belief that money is buying them better protection.

In each board meeting, the CISO reports the progress of money spent and tools implemented. This creates a self-affirming cycle between the CISO and management. The CISO gets more money/success and the executives believe they are getting better protection so they give the CISO more money, and on, and on.

…until the spending becomes so great that the executives ask what they got for all that money.

…or when the organisation experiences a material cyber incident.

In both cases, the executives are left disillusioned.

Behaviour #2: “Money is not a problem. I can get whatever I need.”

A recent article in the WSJ quoted Amazon CISO Stephen Schmidt:

Mr. Schmidt reports to Amazon Chief Executive Andy Jassy, who is focused on security. “That does actually make my job easier,” Mr. Schmidt said. “Andy has never turned me down for something that I said is necessary to do the job.”

I hear this sentiment expressed regularly, especially in large enterprises with well-funded security programs. For CISOs who are in this position, this is universally stated with pride because it’s an indicator of executive trust.

Related:  65% of financial organisations suffered ransomware damage in 2023

Trust is a good thing, but this also establishes a line of responsibility to the CISO. If something goes wrong, it’s completely legitimate to inquire why the CISO didn’t ask for something that would have prevented the incident. This expectation is amplified if the security budget is well-funded and the executives equate spend with protection.

Behaviour #3: Cybersecurity spending benchmarks are the primary motivation for security investment

Cybersecurity spending benchmarks are a powerful tool to understand where you’re putting your money. When they are interpreted as a protection level, they lead to throwing money at the problem.

You should use spending benchmarks as leading indicators of underinvestment. You also need a story about what you’re doing with the existing budget, and what you will do with new budget to change protection levels.

To change hearts and minds, avoid these three CISO behaviours to actively move your executives off the idea that “money = protection”.

  • Don’t report spending money on tools without also reflecting a change in a protection level.
  • Manage expectations with executives who approve budget requests because they trust you.
  • Don’t lean exclusively on cybersecurity spending benchmarks to make the case for better protection.

The Bottom Line

It is not appropriate for executives to treat the CISO as the arbiter of appropriate protection and enable this by giving them whatever they request. This behaviour should be tempered with an understanding that security is a choice and a business decision. The executives should be thoughtfully engaged in the choices presented by the CISO.

Measure outcomes and treat the spend as a necessary part of the conversation.

Focus on the protection level outcomes your executives say they want, within the organisation’s willingness to pay for them.

First published on Gartner Blog Network

Tags: cybersecurityGartnerIT security budget
Paul Proctor

Paul Proctor

Paul Proctor is a VP and Distinguished Analyst, and former Chief of Research for Risk and Security at Gartner. He leads CIO research for technology risk, cybersecurity and digital business measurement. Mr. Proctor advises CIOs, executives and boards to manage risk and balance the needs to protect with the needs to run their business. Proctor's coverage includes board reporting, outcome-driven metrics, risk management, the Gartner business value model, and digital business transformation. His ground-breaking research in risk, value, and cost management helps organizations prioritize and invest in the readiness of technology to support their business and mission outcomes. In 2016, he was appointed to the University of California Cyber Risk Advisory Board by former Secretary of Homeland Security and UC President, Janet Napolitano. Previous experience Mr. Proctor has been involved in various aspects of risk management and the business value of IT since 1985. He was the founder and CTO of two technology companies and developed first and second-generation host-based intrusion-detection technologies. He is a recognized expert in the fields of risk management, information security, and associated regulatory compliance issues. He has authored two books published by Prentice Hall. He was recognized for his expertise by being appointed to the original Telecommunications Infrastructure Protection working group used by Congress to understand critical infrastructure protection issues prior to the terrorist attack of 11th September. Previously, he worked for SAIC, Centrax, CyberSafe, Network Flight Recorder, and Practical Security. Professional background SAIC Engineering Manager Centrax Founder and Chief Technology Officer CyberSafe Chief Technology Officer

No Result
View All Result

Recent Posts

  • DDoS attacks surge in Asia Pacific, claims Cloudflare
  • Reimagining security for the AI Era
  • PodChats for FutureCISO: Articulating the business value of security in 2025
  • New standard for cybersecurity at the storage layer
  • Cybersecurity challenges persist despite improved defenses

Categories

  • Blogs
  • Compliance and Governance
  • Culture and Behaviour
  • Cybersecurity careers
  • Data Protection
  • Endpoint Security
  • Incident Response
  • Network Security
  • People
  • Process
  • Resources
  • Risk Management
  • Technology
  • Training and awarenes
  • Videos
  • Webinars and PodChats
  • White Papers

Strategic Insights for Chief Information Officers

FutureCISO serves the interests of the Chief Information Security Officer (CISO) and the information security profession. Its purpose is to provide relevant and timely industry insights around all things important to security professionals and organisations that recognize and value the importance of protecting the organisation’s data and its customers’ privacy.

Cxociety Media Brands

  • FutureIoT
  • FutureCFO
  • FutureCIO

Categories

  • Privacy Policy
  • Terms of Use
  • Cookie Policy

Copyright © 2024 Cxociety Pte Ltd | Designed by Pixl

Login to your account below

or

Not a member yet? Register here

Forgotten Password?

Fill the forms bellow to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
No Result
View All Result
  • People
  • Process
  • Technology
  • Resources
    • White Papers
    • PodChats
Login

Copyright © 2024 Cxociety Pte Ltd | Designed by Pixl