In today’s ever-evolving digital landscape, the importance of cybersecurity cannot be overstated. With the increasing complexity of threats, organizations are recognizing the need to allocate more resources to protect their valuable assets. Recent reports indicate a positive trend, as Chief Information Security Officers (CISOs) across the industry are reporting rising budgets to bolster their cybersecurity efforts. However, despite these budget increases, security outcomes are not improving significantly. A significant portion of data breaches still involve human error, privilege misuse, or social engineering. To address these challenges effectively, organizations must focus on proper security architecture, implementing zero trust principles, and enforcing cybersecurity performance management.
Cyber budgets increasing
CISOs across the industry have reported rising budgets in the face of public awareness of ever-increasingly complex threats. A recent Information Security Maturity Report released by BSS revealed that just over half of the 182 CISOs reported budget increases from last year, with most increases ranging from 10% to 30%.
Despite these budget increases, security outcomes aren’t getting much better. In Verizon’s 2023 Data Breach Investigation Report, they found that 74% of data breaches involved the human element, either through error, privilege misuse, or social engineering. These kinds of breaches are difficult to prevent purely by stacking extra tools into the toolbox; it requires much more focus on proper security architecture, implementing zero trust principles, and enforcing cybersecurity performance management.
It all starts from the top
Despite the unprecedented risk facing organizations everywhere, cybersecurity isn’t a top priority for most boards. According to the BSS report, only 9% of CISOs reported that security was always among the board’s top three priorities on meeting agendas, and less than a quarter reported having actively participated in business strategy and decision-making processes.
However, any attempts to reduce cyber risk has to flow down from the very top. Cybersecurity needs strong governance so that its integrated throughout the organization, and is a consistently reinforced process. If it isn’t, outdated security policies and procedures fail to adapt to the constant changes that comes with organizational growth, and leaves security teams behind the curve when it comes to the latest in cyber threats. This can only happen when the board and executive teams are aligned in prioritizing cybersecurity as a core part of the business.
Aligning the Board and Security teams around budgetary requirements
This means that the board, executives, and security teams need to work together to chart a path towards improved cybersecurity performance. Boards are asking better questions surrounding an organization’s cyber risk and how it is to be measured, to ensure directors are effectively able to carry out their duties. While a few years ago, CISOs may have gotten by with presenting a trending graph of 10,000 vulnerabilities to 5,000 vulnerabilities over a given period to the boards, that is not so anymore. Now more than ever, board members need to have awareness and insight into how their security teams are protecting the privacy of the organization’s critical assets, which means greater collaboration is required to bring forth a shared understanding of on-the-ground performance as it compares to an organization’s strategic goals.
This requires an alignment of risk appetites, lexicon, and their future strategic direction for cybersecurity initiatives. We’ve talked about this kind of alignment before and created to address this challenge. In our nSights Report: Cybersecurity Alignment with the Board, we make the case for alignment and visibility throughout the business. We believe that measuring cybersecurity value should be:
- Automated and efficient,
- Interopable and scalable,
- Meaningfully visible,
- Supporting the business,
- Performance centric,
- Mapped to valuable business functions,
- Timely and accurate,
- And finally, it should be cost-effective.
These eight tenets guide effective board reporting, supporting the natural outcome of increased unity between the board and the business. It’s only then that we can better understand how best to allocate cybersecurity budgets in the places best suited to supporting and protecting the business. This can only be done through genuine cybersecurity performance management – if you don’t really know how well you’re doing, how can you know where you’re going next?