A recently released Gartner survey of 2,000 CIOs indicates a prioritization of cybersecurity over all other IT areas, including cloud and data analytics.
According to the report, “With the opening of new attack surfaces due to the shift to remote work, cybersecurity spending continues to increase. 61% of respondents are increasing investment in cyber/information security, followed closely by business intelligence and data analytics (58%) and cloud services and solutions (53%).”
Technology budgets overall are still growing, with 2% growth forecast for 2021, but this is down from 2.8% in 2020.
This is a positive development as more companies recognize the need to balance security with the pursuit of growth via digitalization. Too often companies have sacrificed cybersecurity as they instead focus their investment on initiatives that increase growth and/or that deliver cost savings—a mistake characteristic of 1-2 Star-rated companies across all sectors.
But companies and investors should be aware that more money spent doesn’t necessarily translate to better security. Despite increasingly prioritizing cyber spend, the number of breaches continues to grow—including a 7-fold increase in the most financially damaging form of attack: ransomware.
For many companies, more investment in existing security tools is not resulting in better performance. According to Mandiant Security Validation: company systems only detect 26% of total attacks and prevent 33% of them (Mandiant Security Effectiveness Report 2020). This means 66% of attacks on companies get through despite tools designed to prevent them.
- For C-suites: There is plenty of opportunity to better optimize existing cyber spend and a need to demonstrate better security ROI. First, conduct security validation against the existing security stack to understand what’s working and what’s not and what is most important to fix before investing more money in tools or capabilities the company may already have but isn’t using properly—or may not need at all.
- For investors: A ransomware attack can wreck financials and lead to a precipitous drop in share price. Early warning signals appear long before successful attacks become known. Ask questions of C-suites on how the increased money will be spent, how will the investment translate to better security and what proof they have of these outcomes.
In other words, “do you, Mr. CFO or CEO, know how the increased security spend will result in lower likelihood of a ransomware attack and lower the financial downside risk due to increased digitization? If so, based on what verifiable metrics?”