Every company is (or should) be spending on cybersecurity to protect its information but does spending more actually correlate to a more secure system? There is no perfect security so a company can always spend and do more. At some point, however, a company has to make choices about how much to spend and on what to spend the last dollar of its cybersecurity budget. Is there an answer to the two key questions:
- How much should the company spend on cybersecurity?
- What tools, techniques, and talent should the company prioritize?
Deloitte recently issued a report that offers some insight into what companies spend on cybersecurity in one of the more sophisticated industries (in cyber terms) and what level of maturity they get for that spending. Working with survey responses provided by members of the Financial Services Information Sharing and Analysis Center (FS-ISAC), Deloitte was able to look at budget and maturity of cybersecurity practices in some of the most advanced cyber programs in the world.
The most striking conclusion in Deloitte’s report is that “money alone is probably not the answer, as higher cybersecurity spending did not necessarily translate into a higher maturity level” (emphasis added). Measured on a per FTE basis, as a percentage of the IT budget, or as a share of revenue, the surveyed companies spent a wide range of their budgets on cybersecurity. But there was not a strong correlation between those that spent a lot and the maturity ratings achieved.
The maturity ratings given to the participants were self-reported based on characteristics rather than measures. Companies with Board involvement and whole-of-company cybersecurity approaches were rated higher on the scale, adopted from the NIST Cybersecurity Framework’s four implementation tiers of Partial, Informed, Repetitive, and Adaptive. Characteristics that Adaptive companies shared were short reporting chains from the CISO to the CEO and a greater concern by the company’s CISO with business growth and opportunities over fighting for budget and management support.
If there isn’t a correlation between higher spending and more mature programs, how should a company approach its cybersecurity program?
Missing from the analysis of maturity of different financial services firms was any conclusion about whether an Adaptive cyber program reduced risk measured as exposure to financial loss. The report does not speak to the association between the maturity of a program and its capacity to actually reduce risk. Another financial services company could follow the roadmap laid out in the NIST Framework, becoming Adaptive across CSF functions by moving the CISO higher on the org chart, making sure the board has a regular cyber briefing, and, yes, even by spending more money on the problem. None of those changes, however, help a business forecast according to value at risk or understand the cost-effectiveness of one cybersecurity choice over another.
A FAIR risk analysis can answer the questions around prioritization and cost-effectiveness. From looking at the return of a particular cybersecurity investment through to organizing the spending for an entire cybersecurity program, a financial model for cybersecurity risk can provide a roadmap to report on improved cybersecurity to the Board and the C-suite. The potential improvements an organization can achieve by making organizational, strategic, and budgetary changes in how it handles cyber can be paired with a measurement of the financial benefits of those changes and the smaller, tactical choices in the cybersecurity program.
If you want to take a closer look at how your cybersecurity program is performing, drop Foresight Resilience Strategies a line and let’s take the first step to making sure your cyber program really is reducing your risk.