- Organizations are investing a median of 22% of their IT operating budgets, and a median of 40% of the full-time equivalent IT staff is allocated to cybersecurity.
- The expected ROI for organizations making cybersecurity investments is the fulfillment of tangible business stipulations, including achieving strategic business objectives by enabling businesses, reducing risks, and making operations efficient.
The cybersecurity risk landscape improved by a small margin in 2023 globally, with the Cyber Risk Index (CRI) decreasing by a score of +0.01, according to Trend Micro 2023 Midyear Cybersecurity Threat Report. And for good reason. Accenture’s State of Cybersecurity Resilience 2023 report noted that 30% of respondents believe in prioritizing cybersecurity before anything else.
Still, North America’s CRI is the highest among geographic regions worldwide (-0.10). North America’s Cyber Preparedness Index (CPI) also worsened from 5.30 to 5.29. Refer to Trend Micro’s Cyber Risk Index meter below for reference.
Cyber Risk Index Meter
Source: Trend Micro
In its latest research “Cybersecurity: Enable The Business, Manage The Risks — Now Reduce Your Opex”, Aberdeen Strategy & Research found, that over the past 12 months:
- 21% of respondents experienced one or more data breaches
- 32% or one in three respondents experienced one or more security-related incidents that resulted in unplanned downtime
- Over 15% of respondents experienced one or more significant compliance issues
The good news is that organizations continue to invest in cybersecurity initiatives.
See More: Cybersecurity and AI/ML, before the new Age of AI: Insider Risk
How Much Are Organizations Investing in Cybersecurity in 2023?
Organizations are investing a median of 22% of their IT operating budgets in cybersecurity.
Cybersecurity Investment as a Percentage of IT Operating Budgets
Source: Aberdeen Strategy & Research
At the same time, cybersecurity initiatives receive a significant percentage of full-time equivalent IT staff. A median of 40% of the full-time equivalent IT staff is allocated to cybersecurity.
Source: Aberdeen Strategy & Research
What is important to note is that organizations now seek to consolidate their cybersecurity posture in line with business needs. So, instead of maintaining various security tools and services (over 55% of companies have 75+ security tools, according to the Panaseer 2022 Security Leaders Peer Report), they focus on a select few that can help them strategize better.
In this regard, zero trust is emerging as one of the top five funded security-related initiatives for 73% of respondent organizations in Aberdeen’s study.
“Every organization is different, and obviously there’s no one ‘correct’ amount to invest in cybersecurity initiatives — whether that’s expressed in terms of the percentage of IT operating expenses, the percentage of full-time equivalent IT staff, or both,” noted Derek Brink, VP and research fellow at Aberdeen.
For trusted users, mobile-based multi-factor authentication (MFA) is now the conventional authentication mode due to its lower cost to deploy, manage, and support. The chart below depicts how the adoption of other technologies compares to MFA.
Trusted Users Technology Trends
Source: Aberdeen Strategy & Research
Additionally, the growth of zero trust network access (ZTNA), secure access service edge (SASE), and security service edge (SSE) coincides with the decline of virtual private networks (VPNs).
Aberdeen emphasizes that quantifying cybersecurity risk in terms of monetary value, either lost or expected to be saved, is the key driver of organizational cybersecurity. For instance, business and security leaders may not always be on the same page about the severity of a cyberattack.
However, if they’re told, “Hey, a certain ransomware attack has the potential to cause disruption to business for three days and likely to cause $8 million in losses,” the objectives become quite clear. CISOs may get answers to some of the questions, such as:
- How much cybersecurity investment is needed?
- What return on investment (ROI) can we expect?
- Where do we need to invest first?
Moreover, it does away with confusing technicalities, something the company board and possibly other stakeholders can appreciate, and have a clear understanding of the company’s objectives on cybersecurity.
Models such as cybersecurity value-at-risk can often be referred to gauge future needs. Although they might not always be accurate owing to the lack of historical data, the shift to risk quantification in cybersecurity is a welcome move.
What Drives Higher Cybersecurity Investments?
“In our current economic context, there’s understandably a growing emphasis on operational efficiencies. Logically, our strategies for investing in cybersecurity initiatives should be prioritizing cybersecurity solutions with lower total cost to deploy, manage, and support,” Brink said. This is primarily why zero trust and MFA have seen higher adoption.
Like venture capitalists, the tangible and measurable return on investment is a way for CISOs and business leaders to view cybersecurity spending as a strategic investment rather than a cost center. As a result, cybersecurity investments can also help a business attain a competitive edge over competitors.
Fourteen new ransomware families, which have proven to cause widespread disruption to business operations, popped up in H1 2023 (compared to 10 in H1 2022). Ransomware attacks (90,945 ransomware endpoints detected in H1 2023) have also evolved to be motivated by geopolitical events in addition to the usual financially motivated attacks.
Besides cost savings through enhancing operational efficiencies, cybersecurity investments also entail fulfilling tangible business stipulations, including achieving strategic business objectives by enabling businesses, and avoiding unnecessary costs such as ransomware attacks by reducing the risk of incidents.
It means organizations are striving to strike a balance between business strategy and outcomes with cyber resilience.
Beyond cyber resilience, cybersecurity teams can plan for business continuity and disaster recovery by shedding reliance on a select few and conducting cross-training sessions for the majority of team members.
Note that Aberdeen’s research indicates only those cybersecurity investments made internally by companies. Crunchbase data indicates venture funding in cybersecurity startups decreased by over 61% year-over-year in the four quarters trailing July 2023.
How much does your organization invest in cyber resilience? Share your thoughts on Facebook, X (Twitter), and LinkedIn. We’d love to hear from you!
