View all on-demand sessions from the Intelligent Security Summit here.
Knowing which areas of a cybersecurity budget should receive the most attention to generate key business value is an essential skill for CISOs.
Deloitte recently discovered that cybersecurity is at the core of cloud-based digital transformation, accounting for almost 50% of the success of the initiatives. CISOs view benchmarking and budgeting as the first step in monetizing and advancing their careers. That’s why CISOs should take every opportunity to tie their spending to revenue.
That mindset is essential for CISOs who want to land an executive-level position and show they know how to use cybersecurity budgets to support and increase revenue.
“I see more and more CISOs joining boards,” CrowdStrike said co-founder and CEO George Kurtz during a keynote address at his company’s annual Fal.Con. “I think this is a great opportunity for everyone here [at Fal.Con and in the industry] to understand their impact on a business. From a career perspective, it’s great to be part of that boardroom and help them along the way.”
Know how much consolidation is enough
The CISOs that get it turn the complexity and high maintenance costs of their tech stacks into consolidation opportunities that improve cyber resilience, increase visibility and control, and close gaps in their security posture. Consolidation is a given for any CISO who inherits a large, complex and costly tech stack that needs to be phased out to improve scale.
CrowdStrike recognized early on the need to support CISOs who need to consolidate tech stacks to generate more revenue. By developing a growth strategy that benefits their growth and their customers’ security posture, CrowdStrike helps customers find the best possible balance between consolidation and new investment in software and services. By providing a methodology and internally based benchmarks, CrowdStrike has a strong track record of helping clients understand the optimal level of consolidation given their unique business requirements.
like CrowdStrike, Palo Alto Networks has defined a consolidation strategy for its clients. While their consolidation strategies differ, both CrowdStrike and Palo Alto Networks are seeking to achieve economies of scale through cost savings while generating upsell and cross-sell revenue. Each maintains a strong focus on getting budgets and benchmarking.
Quantify the risk of getting board buy-in
Selling a board of directors and CEO on a cybersecurity budget should start by defining it in terms that quickly gain attention and acceptance. CISOs tell VentureBeat that they are most successful at winning budget battles by explaining the downside revenue risk of not securing a business area, then using that data to quantify cyber risk.
To further strengthen the case for passing the cybersecurity budget, it is necessary to explain the potential impact of a revenue breach and the risks of not having a dedicated threat detection and response system in place. This should be quantified with cyber risk data and reinforced with industry standard benchmarks. Chief Risk Officers (CROs) and CISOs who collaborate and excel at quantifying cyber risk are more likely to get their budget funded.
Cyber risk quantification is a technique for defining and expanding budgets for zero-trust security frameworks and initiatives.
“Risk quantification helps you assess the value of cybersecurity projects using a widely understood framework that assigns a financial value to each prioritized decision based on statistical modeling of risk and expected loss,” writes Mark Tattersall in his blog post The busiity Case for risk quantification.
Quantifying risk is essential for benchmarking in the right context so that CISOs can have guardrails to make the best decisions.
Cybersecurity benchmarking is essential for a company’s growth
As Kurtz put it at Fal.Con, “Adding security should be a business driver. It has to be something that contributes to the resilience of your business, and it has to be something that helps protect the productivity gains of digital transformation.”
Kurtz’s comments turned out to be prescient, as a Deloitte study completed later in 2022, quantified how critical cybersecurity is to all digital transformation initiatives, with the cloud being the most important.
“This means security is now a driver of business strategy rather than buried as an operational line item that only needs to be managed and measured as a cost,” Chris Gilchrist, principal analyst at Forrester, said during a session at Forrester’s 2022 Security and Risk Forum “In other words, security now has the leeway to defend and drive growth.”
At the same event, Forrester VP and Lead Analyst Jeff Pollard hosted a session titled “Cybersecurity Drives Revenue: How to Win Every Budget Battle.” This provided valuable guidance, insights, and a helpful framework that CISOs can use to define their budgets by showing the revenue contributions they help protect and deliver.
“If something generates as much revenue as cybersecurity, it’s a core competency,” Pollard said in his presentation. “And you can’t claim it isn’t.”
Any cybersecurity vendor knows that if they can help their customers fine-tune their budgets with benchmarking, lifetime customer value (CLV) – one of the most valuable measures of customer success – will be maximized. That’s why leading cybersecurity platform vendors have internal spending benchmarks that they provide to clients and prospects to build a business case.
It’s best to use vendor-provided benchmarks to identify major gaps that cybersecurity and IT teams have yet to account for in budget cycles. No set of benchmarks will be a perfect fit for any given company’s challenges, so it’s best to think of each set as budgeting and planning guardrails. There are many versions of the truth for benchmarking cybersecurity spending.
Some of the many cybersecurity benchmarks available are those of AT&T Cybersecurity, Boston Consulting Group, CSO online, Dive into cybersecurity, Forrester Planning Guide 2023: Security and Risk And WITHOUT.
Clutch also recently released a useful template shows how to create a cybersecurity budget for small businesses.
Benchmarking cybersecurity spending
Because every company has a unique set of cybersecurity challenges made more complex by their reliance on sales, support, and supply chain networks, it’s impossible to have a single, definitive benchmark across all industries. The following guidelines reflect the consensus of the latest benchmark studies along with interviews that VentureBeat has conducted with CISOs, CIOs, and security and risk management (SRM) leaders.
Percentage of IT budgets spent on cybersecurity
On average, enterprises will spend 9.9% of their IT budget on cybersecurity by 2022. Technology, healthcare, and business services (including insurance) are leaders across all sectors of cybersecurity investment. What is concerning is how little the education, retail and manufacturing sectors are spending on cybersecurity. The data below further confirms that the manufacturing security epidemic needs a zero-trust remedy.
For most budgets, cloud-based software is between 20% and 25%
Consistent with previous research from Gartner and IDC, cloud-based software spending typically accounts for 20 to 25% of cybersecurity budgets. The figure can be significantly higher depending on the cloud maturity of a particular company and industry.
For example, in technology and healthcare, CISOS tell VentureBeat that cloud-based software spend can make up 40% of their budget given the complexity of the tech stack they manage across multiple business units.
CISOs allocate 20% of their budget to infrastructure security
Many CISOs are looking to revamp legacy tech stacks to protect infrastructure, IoT, industrial control systems, and operational technology (OT) apps and systems.
Identity Access Management (IAM) and Privilege Access Management (PAM) are among the fastest growing budget categories as of 2023. While Deloitte’s research found that 12% of budgets are allocated to IAM, VentureBeat hears from CISOs that this figure is growing faster than the market and that cloud-based PAM systems help close gaps in tech stacks.
Lessons learned from CISOs who excel at benchmarking and budgeting
Viewing benchmarking and budgeting as an iterative process is critical to success. A CISO told VentureBeat that the benchmarking, budgeting and course correction cycle must become part of an organization’s DNA to succeed.
CISOs also tell VentureBeat that benchmark data varies significantly by segment and sub-segment of an industry, so knowing the unique challenges is critical. By comparing benchmark data, gaps can be identified and action needs to be taken.
A manufacturing company CEO told VentureBeat that the most valuable aspect of benchmarking is finding gaps that no one thought of before and correcting them quickly to close them. That company shifted spending from defense to cyber resilience, coinciding with its zero-trust initiative.
Knowing how to navigate benchmark data to build a budget that both finances cyber resilience and generates revenue is a skill that boards of directors look for. The better a CISO gets at balancing the two, the more likely his career is to advance.
VentureBeat’s mission is to become a digital city plaza where tech decision makers can learn about transformative business technology and execute transactions. Discover our Briefings.