The CISO’s guide to cybersecurity investment in 2023
In a challenging economic climate, there are no guarantees when it comes to cybersecurity budgets, and CISOs must prepare to adjust investments accordingly.
At its recent annual meeting in Davos, executives from the World Economic Forum (WEF) revealed an alarming finding from the think-tank’s Global Security Outlook Report for 2023: 91% of the global organisational leaders surveyed believe that current geopolitics make a “far-reaching, catastrophic cyber event” either moderately or very likely in the next two years.
The recent Russia-Ukraine war has focused corporate minds on the threat environment their organisation faces, said one respondent. “We have needed to spend time and resources on understanding how the threat landscape has changed, whether the difference in the attacker’s motivation makes us more likely to be targeted, what will be attacked and how it will be attacked,” they told the report’s authors.
In other words, today’s cybersecurity professionals are expected to protect an expanding attack surface from a growing range of threats and malicious actors.
During the pandemic, the rapid expansion of remote working and the roll-out of new cloud solutions enabled businesses to keep operating, but these initiatives also created more distributed IT environments that are different in nature to those previously managed by CISOs and their teams to secure. Then there is the rise of Internet of Things (IoT) technologies, which interconnect physical assets and introduce new exploit opportunities. And finally, there is a considerable increase in cybercrime to consider. As the WEF report points out, this includes nation-state-sponsored attacks, exacerbated by the war in Ukraine and forcing public and private organisations to rethink their security posture.
In short, whether they rise, stagnate or fall in 2023, cybersecurity budgets need to catch up with the level of cyber risk that organisations face.
In a May 2022 survey of 1,200 C-suite executives in 16 countries, conducted by ThoughtLab and sponsored by Elastic, three out of ten respondents (30%) complained that their organisations’ cybersecurity budgets were already inadequate. Even more (38%) predicted this would be the case in two years. This finding comes as more than one-quarter of respondents (27%) agreed that their organisations are not well-prepared for a changing threat landscape, a proportion that rose to 29% among CISOs only.
With all this in mind, these are my four recommendations on the best way to manage cybersecurity spend in 2023:
1. Calculate an 80/20 split for cybersecurity investment
The 80/20 rule, or Pareto Principle, states that 80% of all outcomes are derived from 20% of causes. It’s a good rule, too, for cybersecurity investment in medium and large enterprises. Here, 80% of cybersecurity spend should be directed at the fundamentals and what can be achieved using existing tools and available resources. Such as training staff, performing regular system updates, two-factor authentication (2FA) and credential allocation. Meanwhile, the remaining 20% of the budget should be targeted at niche high-risk areas, such as investing in new technologies to combat threats, conducting external systems audits and ensuring that resources are in place to respond quickly to high-level breaches.
2. Let go of legacy products and systems
Many businesses hold on to legacy products and systems, typically out of a desire to get the most out of previous investments - creating a false economy. At best, it forces the cybersecurity team to expend effort and resources on fortifying technology assets that are rarely or never used. At worst, it may significantly weaken the organisation’s barriers against breaches. Instead, teams should regularly assess the usefulness of products and services and remove those that no longer deliver meaningful value to the organisation to reduce possible entry points for criminals and protect cloud environments.
3. Invest in platforms that support multiple functions
When choosing to invest in new platforms - or evaluating those already in use by the organisation - teams should hunt for economies of scale and only deploy platforms capable of supporting multiple functions to curb product proliferation and promote tool consolidation. The right combination of carefully selected platforms can limit the vulnerabilities created by an extensive network of siloed tools, reduce overall management costs and simplify user experience.
4. Ensure you are getting the most out of existing tools
It might seem more straightforward (and often more exciting!) to invest in new technologies when addressing IT problems. But ‘new’ doesn’t always mean ‘best’. A constant influx of new technologies can result in a highly complex environment, where a team’s time and resources are more focused on maintaining the tools themselves than on achieving core, business-level objectives around cybersecurity. So before investing in new technologies, check the organisation is maximising the use of solutions that are in place. This includes ensuring that operating systems are properly maintained, that users regularly update their systems, and that the full functionality of services already in place is being used.
No room for complacency, spend wisely
The cybersecurity landscape is riskier, more complex and more costly to manage than ever before. And more than that, the risks, complexity and costs are only accelerating. Companies that don’t pay immediate attention to the current situation risk falling even further behind.
As a result, there is no room for complacency in 2023. And there are no guarantees that cybersecurity budgets will be safeguarded by executive teams forced by the economic climate into difficult business and financial decisions. My advice to fellow CISOs? Spend wisely, and be prepared to adjust course if necessary.