Security budget hikes are missing the mark, CISOs say

Misguided expectations on security spend are causing problems for CISOs despite notable budget increases. That's according to new research from risk and cybersecurity solutions provider BSS, which surveyed 150 security leaders. It found that while most CISOs are experiencing noteworthy increases in security funding, impractical expectations of budget holders are leading to significant amounts being spent on what's hitting the headlines instead of strategic, business-centric investment in security defenses. This lack of understanding shows that a lot of work needs to be done to ensure that information security receives the attention it deserves, especially in the boardroom, the report said.

The Information Security Maturity Report, which was released earlier than the BSS research, revealed that just over half of the 182 security leaders surveyed saw their budgets increase from last year, although the degree of increase was typically lower when compared to the previous year's report. Key factors contributing to increased spending include the evolution of the cyber threat landscape (39%), keeping up with peers (21%), and investing in recruitment and training (18%), the report found.

CISOs seeing significant budget increases after high-profile cyber incidents

Overall, 61% of the security leaders surveyed by BSS have seen their security budgets increase, with the highest finding (73%) among CISOs with an annual security budget of GBP500,000 to GBP1 million, according to the report. Most CISOs cited increases of between 10% and 30%, on average. Perhaps most tellingly, 78% of CISOs said they have received extra budget after high-profile cyber incidents such as data breaches and ransomware attacks, symbolic of changing attitudes to information security in organizations, the report said.

However, knee-jerk reactions in relation to increased budgets lead to over half (55%) of CISOs having to allocate funds towards addressing issues reported in the media rather than making more tactical business decisions, BSS said. This is often a symptom of impractical expectations of budget holders when threats to the business aren't fully understood, said Chris Wilkinson, director at BSS. "Our research shows a problematic lack of understanding by the wider business of the current threat landscape and where budgets should be spent."

Cybersecurity does not top board agendas, CISOs lack voice in the boardroom

This problem is exacerbated by the fact that security is often not high enough on the agenda of boards, the report said. Just 9% of CISOs said information security is always in the top three priorities on the boardroom's meeting agenda, and less than a quarter (22%) of CISOs are actively participating in business strategy and decision-making processes.

To make a shift, CISOs need to leverage heightened awareness of security to their advantage, BSS said. "This is an excellent opportunity for security leaders to educate the board on the most critical threats and the potential business impacts of these threats if they are not addressed," the report read.

Talking to the board about cybersecurity in a way that is productive can be a significant challenge for CISOs, and failing to do so effectively can result in confusion, disillusionment, and a lack of cohesion among directors, the security function, and the rest of the organization. Mistakes that CISOs often make when speaking to the board include using over-technical security language, focusing on the wrong threat impacts, failing to prepare for potential questions, and relying on out-of-box cyber risk reporting.

In March, the UK National Cyber Security Centre (NCSC) published the Cyber Security Toolkit for Boards including resources designed to help board members understand and govern cyber risk more effectively.