A recent report from risk and cybersecurity solutions provider BSS has highlighted the challenges faced by Chief Information Security Officers (CISOs) when it comes to managing security budgets. The research, which surveyed 150 security leaders, revealed that despite notable increases in security funding, impractical expectations from budget holders are resulting in a significant portion of the budget being allocated towards addressing issues highlighted in the media, rather than strategic and business-centric investment in security defenses. The report emphasizes the need for better understanding and attention to information security, especially in the boardroom.
The Information Security Maturity Report, released prior to the BSS research, further supports these findings. Among the 182 security leaders surveyed, just over half reported an increase in their budgets compared to the previous year, although the degree of increase was generally lower. Factors contributing to increased spending included the evolving cyber threat landscape, the need to keep up with peers, and investments in recruitment and training.
According to the BSS report, a majority (61%) of the security leaders surveyed experienced an increase in their security budgets. The highest percentage (73%) was observed among CISOs with an annual security budget ranging from £500,000 to £1 million. On average, CISOs saw increases of between 10% and 30%. Notably, 78% of CISOs stated that they received additional budget after high-profile cyber incidents such as data breaches and ransomware attacks, indicating a shift in attitudes toward information security within organizations.
However, the report also highlights the negative consequences of knee-jerk reactions to increased budgets. More than half (55%) of CISOs reported having to allocate funds towards addressing issues highlighted in the media, rather than making more tactical business decisions. This problem stems from the impractical expectations of budget holders who may not fully understand the threats faced by the organization. Chris Wilkinson, director at BSS, emphasized the urgent need for better understanding of the current threat landscape and appropriate allocation of security budgets.
Another obstacle faced by CISOs is the lack of attention given to cybersecurity in board agendas. The report noted that only 9% of CISOs ranked information security as one of the top three priorities on the boardroom’s meeting agenda. Additionally, less than a quarter (22%) of CISOs actively participate in business strategy and decision-making processes. To address this issue, BSS suggests that CISOs leverage the heightened awareness of security to educate the board on critical threats and their potential business impacts.
Speaking to the board about cybersecurity in a productive manner can be a significant challenge for CISOs. Mistakes often made include using overly technical security language, focusing on the wrong threat impacts, failing to prepare for potential questions, and relying on out-of-box cyber risk reporting. To address these challenges, the UK National Cyber Security Centre (NCSC) recently published the Cyber Security Toolkit for Boards, which provides resources to help board members better understand and govern cyber risk.
In conclusion, although CISOs are experiencing notable budget increases, misguided expectations from budget holders are causing problems when it comes to allocating funds for security. This lack of understanding and attention to information security emphasizes the need for increased education and awareness within organizations, especially in the boardroom. By effectively communicating the critical threats and potential business impacts, CISOs can bridge the gap and ensure strategic and business-centric investment in security defenses.