Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

02:05 PM
Joan Goodchild
Joan Goodchild
Edge Features

Think You're Spending Enough on Security?

While the amount will vary from organization to organization, here are four ways for everyone to evaluate whether they're allocating the right amount of money and resources.

(Image: Funtap via Adobe Stock)
(Image: Funtap via Adobe Stock)

Figures run the gamut as to how much organizations are spending on security. For example, at the end of last year (and pre-COVID-19), Gartner reported average spending on cybersecurity was 5% to 8% of overall technology budgets. Meanwhile, a more recent CIO survey of 683 IT executives worldwide places that statistic at 15%, on average, though 23% of the execs indicated they were spending 20% or more of their IT budgets on security.

Related Content:

Cybersecurity Budget Rose in 2019, Uncertainty Prevails in 2020

The Threat from the Internet—and What Your Organization Can Do About It

Next-Gen Firewalls 101: Not Just a Buzzword

So how much is enough? And what's the best way to evaluate whether you are allocating the right amount of money and resources toward security and risk mitigation?

"Is there a magic dollar amount every team should spend? No, but there is definitely a number that isn't acceptable, and that is zero," says Aaron Zander, head of IT at HackerOne.

Hack Yourself Secure
Of course, one effective way to at least identify holes and find places for improvement and investment is to test yourself.

Oliver Tavakoli, CTO at Vectra, suggests challenging your organization with pen testing and evaluating results as a way to measure whether security spend is where it should be.

"You know you're not secure enough when at least 50% of the time you cannot root-cause security incidents," he explains. "You know you're not secure enough when roughly the same attack succeeds multiple times."

Good, quantifiable threat behavior data, such as data available through frameworks like MITRE ATT&CK, can serve as a foundation for how prepared a company is against common ways attackers operate, says Chris Kennedy, CISO at AttackIQ.

"The MITRE ATT&CK framework enables organizations to see the attacker kill chain and, with a bit of analysis, show where companies stand against specific attacks," he says. "The security leader can analyze the way known attackers operate and emulate that attacker to validate the security investments in place are working as expected and are therefore actually worth the investment."  

Follow a Framework
Speaking of frameworks, MITRE ATT&CK is just one of many frameworks security leaders can turn to in an attempt to place some kind of formula to budget decisions. A security framework can serve as a guide and offer a foundation for measurement.

Mark Orlando, co-founder and CEO of security firm Bionic, advises CISOs to devise a maturity framework specific to their organizations and then measure security's progress within it. This helps to keep spending objective and ensure that budget line items are prioritized according to risk, business need, and industry or regulatory changes. What's more, budget planning according to the framework should not be done in a vacuum, he says.

"CISOs should engage with peers in their industry or market vertical, review public reporting on shifting threat and regulatory landscapes, and refer to public benchmarking data to compare their spending to similar organizations to help justify spending adjustments or changing priorities," Orlando says.

(Next page: Taking frameworks one step further)


Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio
1 of 2

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cartoon Caption Winner: In Tow
Flash Poll