Misguided expectations on security spend are causing problems for CISOs despite notable budget increases. That\u2019s according to new research from risk and cybersecurity solutions provider BSS, which surveyed 150 security leaders. It found that while most CISOs are experiencing noteworthy increases in security funding, impractical expectations of budget holders are leading to significant amounts being spent on what\u2019s hitting the headlines instead of strategic, business-centric investment in security defenses. This lack of understanding shows that a lot of work needs to be done to ensure that information security receives the attention it deserves, especially in the boardroom, the report said.\n\nThe Information Security Maturity Report, which was released earlier than the BSS research, revealed that just over half of the 182 security leaders surveyed saw their budgets increase from last year, although the degree of increase was typically lower when compared to the previous year\u2019s report. Key factors contributing to increased spending include the evolution of the cyber threat landscape (39%), keeping up with peers (21%), and investing in recruitment and training (18%), the report found.\n\nCISOs seeing significant budget increases after high-profile cyber incidents\n\nOverall, 61% of the security leaders surveyed by BSS have seen their security budgets increase, with the highest finding (73%) among CISOs with an annual security budget of \u00a3500,000 to \u00a31 million, according to the report. Most CISOs cited increases of between 10% and 30%, on average. Perhaps most tellingly, 78% of CISOs said they have received extra budget after high-profile cyber incidents such as data breaches and ransomware attacks, symbolic of changing attitudes to information security in organizations, the report said.\n\nHowever, knee-jerk reactions in relation to increased budgets lead to over half (55%) of CISOs having to allocate funds towards addressing issues reported in the media rather than making more tactical business decisions, BSS said. This is often a symptom of impractical expectations of budget holders when threats to the business aren\u2019t fully understood, said Chris Wilkinson, director at BSS. \u201cOur research shows a problematic lack of understanding by the wider business of the current threat landscape and where budgets should be spent.\u201d\n\nCybersecurity does not top board agendas, CISOs lack voice in the boardroom\n\nThis problem is exacerbated by the fact that security is often not high enough on the agenda of boards, the report said. Just 9% of CISOs said information security is always in the top three priorities on the boardroom\u2019s meeting agenda, and less than a quarter (22%) of CISOs are actively participating in business strategy and decision-making processes.\n\nTo make a shift, CISOs need to leverage heightened awareness of security to their advantage, BSS said. \u201cThis is an excellent opportunity for security leaders to educate the board on the most critical threats and the potential business impacts of these threats if they are not addressed,\u201d the report read.\n\nTalking to the board about cybersecurity in a way that is productive can be a significant challenge for CISOs, and failing to do so effectively can result in confusion, disillusionment, and a lack of cohesion among directors, the security function, and the rest of the organization. Mistakes that CISOs often make when speaking to the board include using over-technical security language, focusing on the wrong threat impacts, failing to prepare for potential questions, and relying on out-of-box cyber risk reporting.\n\nIn March, the UK National Cyber Security Centre (NCSC) published the Cyber Security Toolkit for Boards including resources designed to help board members understand and govern cyber risk more effectively.