Chief Operating Officer and cofounder at Talion, a global MSSP.
Worldwide spending on security and risk management is predicted to increase more than 11% in 2023, from $158 billion in 2021 to $188 billion. This is a huge step in a positive direction, as we’ve gone from board members underestimating the value of building a robust security posture to 82% of senior managers in U.K. businesses rating cybersecurity as “very high” or “fairly high” in importance, according to the Office of National Statistics (ONS)—a clear improvement on 77% in 2021.
With the C-suite supporting internal cybersecurity development, we’re perhaps looking at a future of better-protected businesses due to higher, value-driven security budgets and, therefore, a decreased risk of cyberattacks. Yet, the fact remains that the victim count of data breaches continues to increase, reaching over 422 million in 2022, up 128 million from the previous year.
The statistics move beyond logic—larger security budgets aren’t moving in parallel with a reduced security risk. Why is that?
Why Are Data Breaches On The Rise?
Why are data breaches continuing to rise despite higher security budgets and better cybersecurity solutions? Here are three often-overlooked causes of rising data breaches:
1. Businesses invest ineffectively for their security needs.
A lot of us stick to what we know. In our personal lives, we may eat the same cereal every morning. In our work lives, we may use the same systems and tools we’ve always used. It’s not often we sit back and think: Is there a better alternative?
Security Team A, for example, might have a set way of doing things. This means that even if their security budget is increased, they may not consider alternatives for better security protection and will stick with the familiar. Security Team B may remain flexible, redefining their needs and evaluating their existing investments for effectiveness and then applying the budget to resources accordingly.
I always encourage security teams to take the Security Team B approach—to look outside of their “box” once in a while. However, if breaches continue to rise despite increased budgets, this could indicate that many businesses are falling into the Security Team A pitfall: They’re not using their budget effectively—they’re just simply using it.
2. Businesses equate money with protection.
Just because a business invests thousands in its cybersecurity budget doesn’t necessarily mean it’s any more protected than a company that spends much less. Why? It’s about how you use the money, not how much of it you have.
The U.K.’s Royal Mail, for example, was hit with a cyberattack in January 2023. With annual revenue of around $15.8 billion, it seems logical that its growing earnings would translate to sufficient cyber protection. However, its previous head of information security, Anthony Davis, stated, “I have a good idea which systems at the Royal Mail could be affected … and the incident response will likely take some time,” implying its legacy systems let it down. This is an example of where the budget available could have been used to upgrade old systems and invest more effectively in a long-term security strategy, but it was instead, presumably, spent elsewhere.
This could suggest that, even though businesses might have significant cybersecurity budgets, it doesn’t always align with beneficial spending and safety.
3. Security budgets can’t match the advancement of cybercriminals.
Although security budgets are at an all-time high, it’s all relative: These security budgets may have been sufficient five years ago, but they may not be now.
With the dark web growing over 300% since 2017, it makes sense that cyberattacks will continue to rise, as cybercriminals are continuing to find more advanced and creative ways to hack into corporate networks and socially manipulate employees by the second. Yet, businesses aren’t necessarily aligning their security budget to match this growth. For example, an organization might need three times its current budget to meet the standards to remediate a cybercriminal’s attack. It’s become an invisible chase.
To fend off the rise in data breaches, businesses may have no choice but to increase cybersecurity budgets to match the growing prices of the technology needed to mitigate the risk. But I’d argue that spending effectively is most important.
How CISOs Can Use Their Cybersecurity Budget Effectively
Although many security teams seek a higher budget to increase their security measures, it’s not always possible. You can, instead, direct this energy into the effectiveness of your spending. But where should you start?
1. Reflect on your business needs.
Don’t think about what your company needed one year ago. What does it need right now and in the near future? Are the systems you use and the people you employ the right fit to meet those needs?
For example, a business that wants to ramp up its security posture may start hiring people to build a full in-house security operations center (SOC), but has it thought about outsourcing? Would this provide greater expertise at a lower cost rather than waiting months to hire the perfect team? Assess different options and discover what’s right for the business.
2. Utilize budget spend predictability.
Streamlining cyber budgets is all the talk at the moment. Businesses will likely move away from in-house security, where the coming and going of staff is unpredictable, and instead acquire budget spend predictability over a one- to three-year contract with an outsourced SOC. More CISOs are considering hybrid service offerings because they offer an unchanged budget that can be managed more easily over time without sacrificing existing technology investments and expertise.
Overall, it will likely be hard for businesses to match security investment with the growing rate of cybercriminal advancement, but it’s not impossible. The more companies invest effectively in cybersecurity, the lower the chance of a breach—it’s as simple as that. If boards are prepared to be clear and direct with their business needs and security teams are aligned with the top vision, effective action and sufficient security are simply a knock-on effect.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Source link