SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
How to make your cybersecurity budget work harder
Fri, 21st Oct 2022
FYI, this story is more than a year old


The digital economy is being disrupted by data, with an estimated 79 zettabytes of data created and consumed last year. This staggering number results from the billions of everyday online activities that occur among businesses, people, devices, and processes.

But as the volume and value of data increase, so does the motivation for hackers to steal it, as evidenced again in Australia by the recent attacks on the country’s largest telecommunications firms.

As such, cybersecurity remains a growing concern across all industries, and budget requests are increasing as a result. But if we’re continuously spending more, then why are organisations still getting hacked at an increasing rate? 

We believe now is the time for executives to reconsider their current operating model and ensure their cybersecurity budgets are working as hard as possible. In a recent poll conducted at one of our online seminars, 84% of our EMEA audience and 67% from APAC agreed that doubling their cybersecurity budget would not halve the risk or impact for their business.

Cybersecurity departments are finding it extremely challenging to justify budget increases when they are not seen as directly contributing to revenue. There was also a time when cyber insurance was regarded as a safeguard and magic wand to protect us from financial risk. But now, these providers are placing more onus on organisations to ensure preventative measures are in place, including risk assessment, controls, and cybersecurity operations.

It is essential to take a step back and consider how you can improve your approach. The key question remains, “How do you do more with less?” You can’t protect everything, so you need to understand what matters most and be able to manage, mitigate, and transfer cyber risk by working with a range of organisational stakeholders. 

Here are four strategies that can help.

1. Embrace the evolution of profit and loss for cybersecurity

A profit-and-loss framework for cybersecurity enables organisations to identify their current level of risk, prioritise their efforts based on their unique risk profile, and set benchmarks for improvements over time. The goal is to create an environment where you can proactively manage your cybersecurity risk factors rather than addressing them reactively. Returning to our recent poll, 61% of our EMEA audience and 89% from APAC agreed they need to approach cybersecurity from a profit-and-loss perspective.

2. Become situation-aware

Awareness is the ability to look at all the information available, recognise what’s important, and act accordingly. It’s a skill that can be learned, practised, and improved over time. You can’t fix what you don’t know, so it’s essential to have a clear understanding of the risks in your organisation and those that might arise in the future. We commonly see three types of awareness:

  • Situation awareness: When an organisation understands the critical (people, data, and process) and operational elements for executing information security strategy.
  • Situation ignorance: When an organisation assumes everything is okay without considering the impact of people, data, and processes. It may be implementing security controls and awareness training, but there is no straightforward process. The strategy does not align to risk reduction and mitigation, yet budgets continue to increase.
  • Situation arrogance: These organisations continue to spend huge amounts of budget while still getting compromised. They might consider people, data, and processes, but they fail to act.

From our audience poll, 57% of our EMEA and APAC audiences believed they were situation-aware; 31% from EMEA and 43% from APAC said they were situation-ignorant, and 11% from EMEA said their organisations were situation-arrogant.

Try to identify your organisation’s cyber maturity to make improvements. To test impact and likelihood, ask your peers: in the event of a breach, what data would you be most concerned about if hackers applied ransomware to it? To test risk-versus-control effectiveness, consider where that data is located. When understanding the impact and level of risk, find out what business functions would be affected.

3. Adapt or become irrelevant

Cybersecurity operations should be tailored to your organisation’s unique needs; there’s no one-size-fits-all approach. The move away from traditional operating models to something more targeted requires a strong foundation for transformation and change. This includes culture, process, measurement, resources, accountability, and automation.

Only% of our EMEA audience and 30% from APAC felt they have the foundations for a targeted operations model to carry over to cybersecurity. You are definitely not alone if your organisation has foundational work to do.

4. Implement protection-level agreements

To eradicate and remove a critical vulnerability, you might need to reboot, consider patch management, or disrupt service. This can be hard to assign a value, but it will inevitably increase your budget.

For example, to reduce a critical vulnerability, the average annual cost for the business is approximately USD $1.7 million per year. But what if we set up a protection-level agreement (PLA) so that any critical vulnerabilities are eradicated and managed within 30 days? That would reduce operational costs to approximately USD $260,000 per year.

But what if you are breached on day 25? That isn’t a control failure – it results from a business decision that has been agreed upon. 

PLAs enable you to track and monitor threat activity, so the business and leadership team can understand why you were breached. The approach also highlights gaps in your foundation, enabling you to address them before they become serious problems. For example, it might highlight potential challenges in handoff, process, or accountability. Additionally, a PLA is a language your stakeholders understand.

Everyone is on the same journey

Each stakeholder in your organisation is at a different stage of their journey. They have different expectations about how cybersecurity will impact them or their department. They also have different levels of technical knowledge. When planning communications, consider these differences to get them on board with your vision, working with them to ensure everyone’s expectations can be met.