In our last post, we discussed ways to improve the IT budgeting process in 2020 and beyond. Rather than simply allocating a percentage of revenue to IT, organizations should consider ways that IT can add value to the business. The right IT investments can increase profitability, improve productivity, reduce risk, and enable innovative solutions and services that provide competitive advantages.

But while innovation should be a priority in establishing IT budgets, it cannot come at the expense of cybersecurity. In one recent survey, three out of four North American organizations said they lack an adequate security budget, and 59 percent said they lack executive support for key security initiatives. Another study found that 90 percent of organizations allocate budget to customer service, sales and other business needs ahead of cybersecurity.

The struggle to balance the desire for IT innovation with the need for strong cybersecurity is due, in part, to distinctly different views of cyber-readiness among company executives, business staff and IT professionals. In a recent survey of 500 U.S. organizations by IT industry trade group CompTIA, 55 percent of executives and 61 percent of business staff rated their cybersecurity efforts as completely satisfactory. However, just 35 percent of IT staff are completely satisfied with their organization’s cyber-readiness.

Other trends identified in the survey illustrate similar disparities. For example, nearly half of the companies surveyed said that cybersecurity is discussed as a standalone topic affecting business operations. But while 91 percent of executives and business staff said there is a strong understanding of cybersecurity within their company, only 78 percent of IT staff feel the same way. This suggest that non-technical staff lack the information they need to make informed decisions regarding cybersecurity risks.

The report does show a sizeable increase in the number of companies making “heavy” use of metrics to evaluate their cybersecurity performance — 39 percent this year up from 21 percent in 2018. Almost half (48 percent) of small companies say they are using metrics, perhaps with the help of third-party firms to manage their security. Among large organizations, 37 percent are using metrics, followed by midsize firms at 27 percent.

This a positive trend given that the use of metrics enables a data-driven approach to cybersecurity budgeting. Organizations should start with a formal risk assessment to determine the greatest threats to the business, and run scans to identify gaps in their cybersecurity posture. With this information, organizations are in a better position to develop a comprehensive cybersecurity strategy and prioritize investments that will have the greatest impact. These tests should be performed at regular intervals and the strategy adjusted to reflect changing business needs and cyber threats.

SSD Technology Partners provides comprehensive security assessment services as part of our Assurance program. Our experts will evaluate your environment, and provide executives with the information they need to make better budgeting decisions. We can then help you select and implement the right security tools, and manage and maintain your environment long term. Let us help you determine how much budget to allocate to cybersecurity to reduce the risk of a potentially devastating cyberattack.