As CISOs look to prepare their 2023 security budgets, some might be asking themselves, “where do I begin?” There are such varied and rapidly changing facets of defending organizations against cyber threats that the task of sorting out which risks need the most attention can seem overwhelming.
Nevertheless, security leaders need to begin thinking about how much funding they will need and how they will allocate their budgets. “At a macro level, when defining strategic goals and developing budgets for security, CISOs should know that the status quo will likely leave security leaders with an impossible mission ahead—constrained to maintain operations and new initiatives,” says David Chaddock, director of cybersecurity for consultancy West Monroe.
“While some organizations with elevated maturity or those that have been hit by a cyberattack have since learned the value of change and may be prepared, the unfortunate fact is the majority still struggle to meet demand with traditional budgets, and the need for security is only increasing,” Chaddock says.
The key factors that might determine funding for next year will likely fall under these five categories:
- The changing threat landscape
- Economic trends and their effect on threat actor behavior
- Geo-political events such as the Russia-Ukraine war
- Changing governmental and other regulation and guidance
- Changing cyber insurance requirements
CISOs need to keep these in mind as they figure out the best ways to keep their organizations safe.
1. Changing threat landscape
The cybersecurity threat landscape is constantly changing, and the pace of change seems to have picked up with the emergence of new types of ransomware threats, the ongoing move toward the cloud, and shifting workforce models. Then there is the aim among many companies to become digital businesses.
“Digital transformation initiatives are driving the expansion of the attack surface that malicious actors are set to target,” says Ruggero Contu, senior research director at Gartner. “CISO budgets will have to cater [to] new requirements coming from external exposure from what was a traditional focus of concentrating on internal infrastructures.”
Exposed vulnerabilities such as unpatched servers and open ports in Internet-connected devices, cloud systems misconfigurations, leaked critical information such as credentials and compromised assets such as spoofed domains and corporate mobile apps are examples of areas that will be increasingly targeted in years to come, Contu says.
The rapid rise in endpoint devices, including the growth of the internet of things (IoT), and the inherent security risks will also impact spending.
“Security budgets within manufacturing, energy, transportation and healthcare will have to focus on securing industrial environments and systems impacted by the vulnerabilities introduced by IoT” as well as the IT and operating technology (OT) convergence, Contu says.
2. Scarce cybersecurity resources due to economic trends
Economic trends, not the least of which is inflation, could have a big impact on cybersecurity spending as well as threat actor behavior. The scarcity of cyber resources combined with inflation will be the most significant factor for higher cybersecurity budgets and spending in the next 12 to 18 months, says Raj Patel, partner and cybersecurity practice leader at consulting firm Plante Moran. “Basically, what everyone hears is that cyber budgets are going up,” he says. “The question is what categories are going up?” The answer is security team staffing and security tools.
“Cyber talent is hard to come by and companies are willing to pay for it,” Patel says. “This has increased salary cost by at least 10% to 15%. Employees with eight to 12 years are seeing a larger increase due to scarce resources.” As for security products and services, “over the last four years the tools and technology to better manage cyber risk has increased significantly,” he says.
Additionally, the gap between the rich and poor and the economic uncertainty that it introduces “will inevitably lead to an increase in hacktivism and other potentially destabilizing cybersecurity incidents,” Chaddock says. “This is now compounded by the influx of initiatives as companies become more digital and are increasingly more vulnerable [to] security breaches.”
3. Geo-political events that increase security risks
Events around the world, perhaps most notably the war between Russia and Ukraine, are likely to continue having a significant impact on cybersecurity and risk. This is especially true for certain industries such as government and others considered to be supporting national critical infrastructures, Contu says.
“The current geo-political events changes attackers’ profile to state-sponsored hackers who have deep technical skills and [the] needed resources to attack critical infrastructure and companies in United States and Europe,” Patel says
West Monroe’s latest quarterly executive poll, which gathers results each quarter from 250 C-level executives at companies with more than $500 million in revenue, asked what actions executives’ company were considering taking this year because of geopolitical and supply chain instability. Most of the executives (60%) said they are considering increasing spending or focus on cybersecurity as cyberwarfare becomes an increasingly used tool to gain competitive advantage.
Nation-state sponsored attack tools used against Ukraine are now readily available to a broader audience, Chaddock says. “Most organizations are not adequately protected against a nation state-sponsored exploit,” he says. “This means most security programs are already behind the curve and need significant investment above and beyond operational funding to ‘keep the lights on.’”
4. Changing regulatory requirements
Change has been a constant with regulatory requirements over the past several years, including laws that deal with data privacy. The cost of complying with various privacy regulations and security obligations in contracts is going up, Patel says. “Some contracts might require independent testing by third-party auditors. Auditors and consultants are also raising fees due to inflation and rising salaries,” he says.
Organizations should focus on building strong security, not on specifically on regulatory compliance, Chaddock says. “When an organization is truly secure, the cost to achieve and maintain compliance should be reduced,” he says.
Evolving regulatory compliance requirements, especially for those organizations supporting critical infrastructure, require significant support, Chaddock says. “Even the effort to determine what needs to happen can be costly and detract from daily operations, so plan for increased effort to support regulatory obligations if applicable,” he says.
5. Changing cyber insurance requirements and rising costs
More organizations have been purchasing, or at least considering, cyber insurance plans in the wake of highly publicized attacks such as ransomware. If paying for such policies comes out of the security budget, CISOs will need to take into consideration the rising costs of coverage and other factors.
“True cyber insurance costs are going up 20% to 25%,” Patel says. “Companies can reduce the cost by reducing coverage levels or increasing deductible amounts. That would mean taking more risk. Some insurance companies will evaluate your cyber controls to gauge your premiums. With better controls, you could lower your premium.”
Companies should be sure to include the cost of cyber insurance over time, and more important the costs associated with maintaining effective and secure backup/restore capabilities, Chaddock says.
“The shift toward combining ransomware with extortion to not publicly disclose sensitive information has put many organizations in a financial bind if they are a target,” Chaddock says. “Organizations with secure and resilient backup and restore capabilities are far less likely to be materially impacted by a cyber event, and therefore able to advance new initiatives and stay ahead of their competitors irrespective of their cyber insurance coverage being a limiting factor.”