Blog: Cyber must deliver much more, without spending much more

“87%: Percentage of enterprises that say they require up to 50% more budget for cybersecurity”¹

And who doesn’t want to spend more money?  It’s pretty hard to find a corporate function that doesn’t have a case for expanding their spend next year.  But 50%?  That’s insane, isn’t it?  Further on in the report on you will find that very few cyber leaders believe they will get anything like the budget they need.

Why not?  Everyone is aware, including in most boardrooms, that there is a massive cost to under‑investing in cybersecurity.  Never mind the 4% of revenue that the ICO might impose for a GDPR breach, it’s your customers that will do the real damage – they won’t hang around if you publicise their data: 60% will think about moving and 30% actually do².

I think cyber leaders are struggling more for investment today than the last couple of years for two reasons:

• Cyber fatigue. For several years, Boards and CEOs heard that they had to spend more, and so they did.  Now they are beginning to say “haven’t we done it yet?”.
• Which leads to the second issue. Cyber professionals know that this is an ongoing arms race.  Many executives also recognise this, and with a bit of thought it’s kind of obvious, but it is not universally acknowledged.

That’s not to say that cyber budgets are not increasing.  They are.  But as Gartner puts it ‘Security budgets may fall behind, while investments in technologies that increase demand for security, increase.’³ 

This of course leads to the obvious question for cyber leaders – how to do more for less?  Unfortunately, doing more often means a lot more people.  For example, Gartner refers to this common buyer question “How can we do more for threat detection and monitoring?” and they go on to point out that although there are many good answers, most of them require more staff⁴.  Which is just about the most expensive part of the puzzle.

Of course, technology is a key part of the solution.  But beware the hidden costs.  One CISO I know was talking about technology their predecessor had purchased, but was not properly deployed because they hadn’t realised they would need to hire at least one, and possibly two, staff with specific expertise.  The CISO said to me “it’s like we have a Ferrari in the basement, in a house where nobody has a driving licence”. (Sorry, no, I don’t think it would be fair to name the technology here).

There are technologies which are much more efficient, the IDECSI Personal Security Guardian is a good example.  Critically, this is technology which has a clear understanding of the problem it’s solving, and which can take advantage of the corporate user base to expand detection capability – all of which leads to much greater efficiency.

A few words about Ben Miller
Ben Miller is an experienced technologist and entrepreneur with a background in mathematics and software engineering. He is focused on bringing new technologies to market, which change conventional thinking. Within cyber security, we have long been used to complaining about users, and driving more work into the security team. Ben’s particular focus today is technologies which challenge this approach and instead make user empowerment a key part of the cyber discussion

1. EY Global Information Security Survey 2017-2018
2. https://www.out-law.com/en/articles/2015/july/info-security-professionals-are-business-brand-preservationists-says-aviva-security-chief/
3. 2018 Gartner CEO and Senior Business Executive Survey
4. Gartner Market Insight: Three Ways to Successfully Go to Market With Security Automation