• About
  • Subscribe
  • Contact
Friday, May 9, 2025
    Login
  • Management Leadership
    • Growth Strategies
    • Finance
    • Operations
    • Sales and Marketing
    • Careers
  • Technology
    • Infrastructure and Platforms
    • Business Applications and Databases
    • Big Data, Analytics and Intelligence
    • Security
  • Industry Verticals
    • Finance and Insurance
    • Manufacturing
    • Logistics and Transportation
    • Retail and Wholesale
    • Hospitality and Tourism
    • Government and Public Services
    • Utilities
    • Media and Telecommunications
  • Resources
    • Whitepapers
    • PodChats
    • Videos
  • Events
No Result
View All Result
  • Management Leadership
    • Growth Strategies
    • Finance
    • Operations
    • Sales and Marketing
    • Careers
  • Technology
    • Infrastructure and Platforms
    • Business Applications and Databases
    • Big Data, Analytics and Intelligence
    • Security
  • Industry Verticals
    • Finance and Insurance
    • Manufacturing
    • Logistics and Transportation
    • Retail and Wholesale
    • Hospitality and Tourism
    • Government and Public Services
    • Utilities
    • Media and Telecommunications
  • Resources
    • Whitepapers
    • PodChats
    • Videos
  • Events
No Result
View All Result
No Result
View All Result
Home Technology Security

Spending more on cybersecurity does not up your protection

Paul Proctor by Paul Proctor
February 20, 2023
Photo by Mike B: https://www.pexels.com/photo/gray-scale-photography-of-knight-350784/

Photo by Mike B: https://www.pexels.com/photo/gray-scale-photography-of-knight-350784/

Spending a lot on cybersecurity does not mean great protection. Believing otherwise leads to big security budgets and disappointed executives.

Sadly, one of the more popular questions that Gartner gets from our clients is “How much should I spend on cybersecurity?”

“We didn’t spend enough money on that.”

…Spoken by no CFO, ever

Executive business decision-makers do not judge any other part of their business by the amount they spent on it. So why do they do it with security?

One of the biggest mistakes organisations can make is to conflate cybersecurity spend with protection. This leads to big security budgets that have no relationship to better security. And executives disconnected from the reality of how security investment really works.

The problem is created by these seemingly contradictory statements that are both true.

  • Spending a lot on cybersecurity does not mean you have good protection.
  • You will need to make an investment if you want to become better protected.

“Make an investment” may be more money or investment in time and effort to change from an older, less effective process or control to a newer, more effective one. The net may be cost savings, but you still must make an investment to create the change.

I know organisations that spend a ton of money on security and are terribly protected. I also know organisations with very modest security budgets that have created great levels of protection. Basically, money doesn’t equal protection, but the investment is absolutely necessary if you want to become better protected.

It is true that “it all comes back to money.” But in cybersecurity investing, budget approval is only the start. Value is created by spending the money to create protection-level outcomes.

Those outcomes dictate your protection, not the money you spent delivering them. The fact that you bought and implemented some cool stuff doesn’t mean better protection either.

When executives conflate the size of the budget with a level of protection, this leads to throwing money at the problem. That’s how organisations end up with big security budgets and poor protection.

Behaviours that reinforce the idea that cybersecurity spending = protection

The following behaviours should be avoided.

Behaviour #1: Treating budget approval as a success

Many CISOs treat getting a budget as a success. They build business cases, money is allocated, creating cybersecurity spending on tools, all of which is reported back to the executives. This pattern reinforces executives’ belief that money is buying them better protection.

In each board meeting, the CISO reports the progress of money spent and tools implemented. This creates a self-affirming cycle between the CISO and management. The CISO gets more money/success and the executives believe they are getting better protection so they give the CISO more money, and on, and on.

…until the spending becomes so great that the executives ask what they got for all that money.

…or when the organisation experiences a material cyber incident.

In both cases, the executives are left disillusioned.

Behaviour #2: “Money is not a problem. I can get whatever I need.”

A recent article in the WSJ quoted Amazon CISO Stephen Schmidt:

Mr. Schmidt reports to Amazon Chief Executive Andy Jassy, who is focused on security. “That does actually make my job easier,” Mr. Schmidt said. “Andy has never turned me down for something that I said is necessary to do the job.”

I hear this sentiment expressed regularly, especially in large enterprises with well-funded security programs. For CISOs who are in this position, this is universally stated with pride because it’s an indicator of executive trust.

Trust is a good thing, but this also establishes a line of responsibility to the CISO. If something goes wrong, it’s completely legitimate to inquire why the CISO didn’t ask for something that would have prevented the incident. This expectation is amplified if the security budget is well-funded and the executives equate spend with protection.

Behaviour #3: Cybersecurity spending benchmarks are the primary motivation for security investment

Cybersecurity spending benchmarks are a powerful tool to understand where you’re putting your money. When they are interpreted as a protection level, they lead to throwing money at the problem.

You should use spending benchmarks as leading indicators of underinvestment. You also need a story about what you’re doing with the existing budget, and what you will do with new budget to change protection levels.

To change hearts and minds, avoid these three CISO behaviours to actively move your executives off the idea that “money = protection”.

  • Don’t report spending money on tools without also reflecting a change in a protection level.
  • Manage expectations with executives who approve budget requests because they trust you.
  • Don’t lean exclusively on cybersecurity spending benchmarks to make the case for better protection.

The Bottom Line

It is not appropriate for executives to treat the CISO as the arbiter of appropriate protection and enable this by giving them whatever they request. This behaviour should be tempered with an understanding that security is a choice and a business decision. The executives should be thoughtfully engaged in the choices presented by the CISO.

Measure outcomes and treat the spend as a necessary part of the conversation.

Focus on the protection level outcomes your executives say they want, within the organisation’s willingness to pay for them.

First published on Gartner Blog Network

Related:  Gartner identifies the top 10 strategic technology trends for 2025
Tags: cybersecurityGartnerIT security budget
Paul Proctor

Paul Proctor

Paul Proctor is a VP and Distinguished Analyst, and former Chief of Research for Risk and Security at Gartner. He leads CIO research for technology risk, cybersecurity and digital business measurement. Mr. Proctor advises CIOs, executives and boards to manage risk and balance the needs to protect with the needs to run their business. Proctor's coverage includes board reporting, outcome-driven metrics, risk management, the Gartner business value model, and digital business transformation. His ground-breaking research in risk, value, and cost management helps organizations prioritize and invest in the readiness of technology to support their business and mission outcomes. In 2016, he was appointed to the University of California Cyber Risk Advisory Board by former Secretary of Homeland Security and UC President, Janet Napolitano. Previous experience Mr. Proctor has been involved in various aspects of risk management and the business value of IT since 1985. He was the founder and CTO of two technology companies and developed first and second-generation host-based intrusion-detection technologies. He is a recognized expert in the fields of risk management, information security, and associated regulatory compliance issues. He has authored two books published by Prentice Hall. He was recognized for his expertise by being appointed to the original Telecommunications Infrastructure Protection working group used by Congress to understand critical infrastructure protection issues prior to the terrorist attack of 11th September. Previously, he worked for SAIC, Centrax, CyberSafe, Network Flight Recorder, and Practical Security. Professional background SAIC Engineering Manager Centrax Founder and Chief Technology Officer CyberSafe Chief Technology Officer

No Result
View All Result

Recent Posts

  • Study finds almost half of businesses bank on AI-enabled cybersecurity for EDR and XDR
  • AI drives cloud market growth in Q1
  • ARTHALAND chooses OutSystems to advance real estate sustainability
  • Experts warn against AI-powered deepfake impersonation scams
  • Dropbox updates universal search and knowledge management product

Live Poll

Categories

  • Big Data, Analytics & Intelligence
  • Business Applications & Databases
  • Business-IT Alignment
  • Careers
  • Case Studies
  • CISO
  • CISO strategies
  • Cloud, Virtualization, Operating Environments and Middleware
  • Computer, Storage, Networks, Connectivity
  • Corporate Social Responsibility
  • Customer Experience / Engagement
  • Cyber risk management
  • Cyberattacks and data breaches
  • Cybersecurity careers
  • Cybersecurity operations
  • Education
  • Education
  • Finance
  • Finance & Insurance
  • FutureCISO
  • General
  • Governance, Risk and Compliance
  • Government and Public Services
  • Growth Strategies
  • Hospitality & Tourism
  • HR, education and Training
  • Industry Verticals
  • Infrastructure & Platforms
  • Insider threats
  • Latest Stories
  • Logistics & Transportation
  • Management Leadership
  • Manufacturing
  • Media and Telecommunications
  • News Stories
  • Operations
  • Opinion
  • Opinions
  • People
  • Process
  • Remote work
  • Retail & Wholesale
  • Sales & Marketing
  • Security
  • Tactics and Strategies
  • Technology
  • Utilities
  • Videos
  • Vulnerabilities and threats
  • White Papers

Strategic Insights for Chief Information Officers

FutureCIO is about enabling the CIO, his team, the leadership and the enterprise through shared expertise, know-how and experience - through a community of shared interests and goals. It is also about discovering unknown best practices that will help realize new business models.

Quick Links

  • Videos
  • Resources
  • Subscribe
  • Contact

Cxociety Media Brands

  • FutureIoT
  • FutureCFO
  • FutureCIO

Categories

  • Privacy Policy
  • Terms of Use
  • Cookie Policy

Copyright © 2022 Cxociety Pte Ltd | Designed by Pixl

Login to your account below

or

Not a member yet? Register here

Forgotten Password?

Fill the forms bellow to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
No Result
View All Result
  • Management Leadership
    • Growth Strategies
    • Finance
    • Operations
    • Sales and Marketing
    • Careers
  • Technology
    • Infrastructure and Platforms
    • Business Applications and Databases
    • Big Data, Analytics and Intelligence
    • Security
  • Industry Verticals
    • Finance and Insurance
    • Manufacturing
    • Logistics and Transportation
    • Retail and Wholesale
    • Hospitality and Tourism
    • Government and Public Services
    • Utilities
    • Media and Telecommunications
  • Resources
    • Whitepapers
    • PodChats
    • Videos
  • Events
Login

Copyright © 2022 Cxociety Pte Ltd | Designed by Pixl

Subscribe