Inquire with CISOs about the reasons behind the cyber skills deficit in their organization, their primary concerns, or the predominant issue encountered in the industry — invariably, budgets will emerge as a topic of discussion, though not necessarily the first point raised.
During a roundtable session addressing industry challenges at RSA Conference 2024, a CISO frankly pointed out that budgets, or the absence thereof, present the most significant hurdle. Amidst escalating costs across the board, the CISO lamented the reductions being made to security budgets.
Regarding the shortage of cybersecurity talent, the 2024 ISC2 Cybersecurity Workforce Study highlighted that “39% identified a lack of budget as the primary cause for cyber vacancies, surpassing talent scarcity as the former top factor for staff shortages.” According to Forrester’s 2024 Cybersecurity Benchmarks Global Report, cybersecurity funding constitutes merely 5.7% of the total IT budget, making it arduous for CISOs to recruit suitable personnel or upgrade tools and solutions.
Nevertheless, the issue may not solely lie in the monetary figure but rather in the source of the budget. The Forrester report revealed that CEOs perceive cybersecurity differently based on whether it is linked to IT and when the CISO reports directly to the CIO as opposed to when the CISO can depict cybersecurity as a vital element of overall business functions and directly associate it with business risks.
“CISOs capable of articulating the business value of cybersecurity, showcasing its ability to boost revenue and uphold strategic objectives, are more likely to secure the essential funding. This transition also underscores an increasing acknowledgment of cybersecurity’s strategic significance transcending mere IT operations,” noted Louis Columbus in a write-up.
Critical matters in cybersecurity funding
Once cybersecurity is perceived as a pivotal component of business operations rather than an IT function, CEOs and CISOs tend to align their views on budgetary matters.
“Security funding and supervision represent top priorities for both the management team and the Board of Directors,” emphasized Dave Gerry, Bugcrowd’s CEO.
“Elevating cybersecurity investments is prioritized against the cyber threats encountered by the organization; the identified IT risks requiring mitigation, or the customer and compliance responsibilities necessitating compliance,” Gerry elaborated. “However, thematically, it all converges on safeguarding the confidentiality, integrity, and availability of the data we oversee — be it that of customers, employees, or critical business associates — while concurrently facilitating our business.”
Risk prioritization and business sustenance are two primary focuses for George Jones, CISO at Critical Start. In conjunction with emerging threats and vulnerability controls, Jones highlights these four elements as the security foundation for enterprises, aligning with overall business aspirations and objectives.
A driving force behind the restructuring of cybersecurity investments is the mandate from the Security and Exchange Commission (SEC) regarding the divulgence of cybersecurity incidents. Organizations are now obligated to disclose particulars about their cybersecurity risk management programs, especially concerning financial data.
“Following the recent SEC directives, Boards exhibit heightened attention towards cyber risk mitigation, emphasizing the critical need for adequate funding, particularly as the organization’s attack surfaces continue to expand rapidly,” added Gerry.
Explore AI cybersecurity solutions
Collaboration between CISOs and CEOs
While CISOs and CEOs (often in collaboration with the CFO) must establish continuous communication regarding cybersecurity investments, each party approaches the dialogue from distinct perspectives.
“From the CEO’s standpoint, the focus lies in ensuring that security initiatives deliver value with manageable impacts on productivity, primarily seeking competitive advantages,” Gareth Lindahl-Wise, CISO at Ontinue, remarked. Conversely, the CISO’s approach revolves around preempting risks, addressing mitigations, and resolving issues to fulfill all legal, regulatory, and contractual obligations of the organization.
The overarching objective should involve crafting a security stance advantageous for customer retention, attracting investment, or enhancing customer appeal. Ultimately, decisions on these matters rest with the CEO and board members, as propounded by Lindahl-Wise.
“When it pertains to budgeting and risk acknowledgment, the CISO stands as a proficient advisor — once a CEO makes an informed and conscious decision, the CISO should have fulfilled their obligations,” Lindahl-Wise added.
Contrarily, CEO Gerry asserted that the ultimate verdict on budget allocation is a prerogative of the Board of Directors, necessitating alignment from both the CEO and CISO concerning the areas and content of security investments.
“This highlights why it is crucial for the CISO to report directly to the CEO and access the Board of Directors directly,” Gerry stated. “While security is often viewed as an expense center, the new norm advocates that a robust security program functions as a competitive edge and a revenue enhancer, in addition to being a mandatory cost amidst a continually expanding threat landscape.”
The Tomorrow is AI
CISOs have long recognized the pivotal role AI plays in cybersecurity, particularly in handling routine tasks, freeing up overburdened security teams to tackle more hands-on concerns. As generative AI permeates the workplace, CEOs are increasingly cognizant of AI’s impact on business and security risks. Some companies are considering appointing Chief AI Officers to their IT and security departments, underpinning the recognition of AI’s importance in future security budgets by CEOs.
“Amidst escalating threats, harnessing AI tools allows us to enhance threat detection, automate responses, and refine incident management,” underscored Darren Guccione, CEO at Keeper Security. “Proficient professionals are indispensable to maneuver the rapidly evolving threat landscape, ensuring the effectiveness and security of our AI-driven strategies, necessitating budgetary consideration.”
The delineation of AI within the cybersecurity budget hinges on its use. Will it constitute marginal adoption of AI in commercial tools for productivity enhancements or entrenched application of AI in the organization’s core offerings?
“Should the latter scenario manifest, the CEO must ascertain that the organization possesses the requisite competence to manage the opportunities and risks,” Lindahl-Wise posited. As for the security domain, “My intuition suggests that AI responsibilities will significantly feature in CIO/CTO roles before standalone CAIOs become customary.”
AI emerges as the prevailing technology and security catalyst but not the final one. Its resemblance lies in the risks it poses — both to businesses and cybersecurity — where CEOs and CISOs unite to focus on cohesive investments.