New survey data shows that the majority (55%) of cybersecurity budgets are allocated towards reactive, rather than proactive, tools. Ask any infosec professional and they’ll tell you that a solid infosec strategy requires both reactive and proactive strategies, but could shifting this spend in the other direction result in organizations that are just as secure but with far less spending and much more efficient infosec teams overall?
The Cyber Risk Alliance (CRA) recently published their quarterly Cybersecurity Resource Allocation and Efficacy (CRAE) Index. If that gripping sentence wasn’t enough to make you run from this post, essentially the CRAE tracks cybersecurity investment trends, as well as opinions on how well the corresponding cybersecurity programs are doing.
The index, which includes data from over 300 organizations with over 500 employees, found that 55% of cybersecurity budgets globally are allocated to reactive security measures. This includes detecting, responding to, and recovering from cybersecurity incidents. The remaining 45% is allocated towards proactive measures, including identifying cybersecurity risks and protecting assets from threats.
The CRAE survey maps budget spend to the NIST Cybersecurity Framework. The proactive aspects of the NIST Framework include Identifying risk and Protecting assets. The reactive aspects of the NIST Framework include Detecting, Responding to, and Recovering from events. Responding is all about containing the impact of a security event. Recovering focuses on restoring capabilities that were impaired as a result of the event.
Neither of these NIST allocations covered in the CRAE include the sometimes massive costs spent on other elements of a breach including identity protection, lost business, regulatory fines, and more. Those costs average nearly $4 million per breach, sometimes hitting upwards of $400 million to recover from the mega breaches that we see far too often in the news.
The average organization spends about $7,500 per employee on information technology, with about 5.6% of that spend earmarked for cybersecurity. At these rates, the CISO at an 1,000 employee organization has an average annual infosec budget of $400k, with around $220k spent on reactive measures and $180k spent on proactive measures. As you can tell, an “average” breach, at $4 million, is an order of magnitude more costly than the overall budget for an organization like this.
So, if we consider a scenario where one CISO invests heavily in proactive measures, successfully avoiding a major breach, while another invests primarily in reactive measures, and ends up cleaning up after a major breach, CISO one ends up spending 10x less overall.
This is why risk-based cybersecurity strategies are at the top of many CISOs’ priority lists. They allow for an organization to proactively identify cybersecurity risks, mitigating the most important ones first. The result? Massive reductions in overall breach risk.
As founding father, kite flying expert, and cybersecurity guru, Ben Franklin, famously stated, “an ounce of prevention is worth a pound of cure.”