3 steps to ensure effective cybersecurity budget allocationWith the number and complexity of attacks increasing, cyber defence spending should focus on its impact and be proportionate to the threat.
Even as ransomware attacks rose 62% between 2019 and 2020, cyber defence spending was flat during the pandemic.
This was a finding of a recent survey of IT, executive, and other senior decision-makers in the UK and the US. It found that average cybersecurity spending during the pandemic was up less than 1%. It also found that 60% of those surveyed had reported a major cybersecurity incident in the past three years.
The report, Investing in Cyber Resilience, by international cybersecurity consultancy S-RM, revealed that companies' spending may be starting to make up some lost ground though. Budgets for cyber defence are expected to increase by an average 8.4% over the next year — up to an average £19.9 million ($27 million), S-RM calculated.
Ransomware attacks, such as the one that hit the US Colonial Pipeline fuel distribution system in May, have fundamentally changed over recent months. Two years ago, attackers would encrypt data and businesses would have to pay to get the data back. Then attackers would steal the data, allowing them to "double extort" money. The director of S-RM's cybersecurity practice, Casey O'Brien, said in an FM interview that in the past few months attackers have been creating triple extortion by using denial-of-service attacks that make computer systems unavailable to users through typically flooding the target with online traffic.
For boards and executive teams, the complexity and rapidly evolving cyberthreat landscape means it is not easy to know where to invest. Before an investment decision can be made, decision-makers need to ensure they have consulted all relevant stakeholders within the organisation, such as the COO and head of IT, so that investment decisions are well informed.
O'Brien said there were three steps businesses can take to ensure money is spent effectively.
Consider the budget allocation's impact. The first question for budget holders is to ask themselves, "What is the impact of that spend?" To do that, O'Brien said, understand your business fully and consider its risk profile, and then take steps to mitigate the specific risks to it.
Ensure stakeholder alignment. Before you spend, make sure you have "alignment across the business", O'Brien said. He added: "You will have senior leaders across the business … in IT … someone in finance … in ops — everyone will have different priorities. …The CEO might agree to it, but it's got to be rolled out and implemented by … an IT team or security team."
To avoid wasting money, it's critical to identify the key stakeholders before setting strategy and communicate and consult with them, he said.
Make the investment proportionate. You need to understand the appropriate level of spending for your business and its sector. "There is always somebody who will tell you [that you] need to spend more on this, or you need to get this new tool, and actually it needs to be proportionate [to] your company's [risk] profile."
O'Brien said an effective cybersecurity strategy must be tailored to the organisation. "To do that you need to understand your threat profile — who might attack you, how they might do it." He added: "You also need to think about your risk appetite — would a really strict cybersecurity policy have an obstructive impact on your operations? If so, you may need to consider dialling back a little bit."
The strategy must also be clear and well communicated throughout the organisation, he said. Employees across the business have a key role in ensuring their organisation is kept secure. He said: "There is no use setting a strategy as a small team of five in a room … if it doesn't permeate throughout the organisation."
According to O'Brien, a good test is "if you stop an employee in the corridor and say, 'What is the cybersecurity strategy for this organisation?' And they say, 'I have no idea,' you're probably not going to have an effective strategy implementation."
A simple mission statement can be effective — and boards need to be proactive and show leadership, and that will permeate the organisation, he said.
"If you set a strategy, you can't then just rest on your laurels for a year and [then] review it." Like a commercial strategy that is flexed as the market changes, a cybersecurity strategy needs to develop as the threat landscape changes, which it does on a daily basis, O'Brien said. "[The strategy] has really got to be dynamic to match what the threat actors are doing."
— Oliver Rowe (Oliver.Rowe@aicpa-cima.com) is an FM magazine senior editor.