Leading with a Risk-Informed Cybersecurity Spending Strategy

By taking a smart, measured, and calculated approach to cybersecurity, companies can effectively traverse the tough cyber waters while reducing their risk and exposure.

Evan Rosenfield, Consultant, Boston Consulting Group

May 5, 2023

4 Min Read
Cybersecurity and information or network protection abstract
vska via Alamy Stock

Companies are facing an onslaught of cyber threats -- from state-backed hackers trying to steal sensitive IP, to criminal ransomware gangs interrupting key operations, as well as vulnerabilities from the inside. No industry is spared -- the threats to industries from healthcare to automobiles are growing in frequency, complexity, and impact. 

CEOs and boards are marshalling resources in response. Despite macroeconomic uncertainty, Gartner predicts that companies will spend more than $188 billion on cybersecurity initiatives in 2023, an 11% year over year increase. Cybersecurity headcounts will remain insulated: 88% of companies in the US anticipate cybersecurity staffing levels to remain constant or increase this year, according to (ISC)2.  

To confront an ever-changing threat, the challenge is shifting from a spend-more mindset to a more-value spending mindset. It is no longer enough to focus only on top-line cybersecurity spend as a leading indicator for an organization’s level of protection. Instead, executives must speak the language of risk and ruthlessly evaluate whether their existing cybersecurity strategy and cyber spend is effectively reducing cyber risk and exposure. To do so, there are several principles that executives can use to ensure cyber spend is the most efficacious.  

Tailor the Cyber Threat Picture 

Not all cyber threats are created equally. A company must tailor its understanding of the threat environment to its business context and specific cybersecurity requirements. It is easy to get distracted with the new nation-state exploit, while ignoring persistently unpatched software. Formalizing a third-party vendor risk management program may be more important than trying to build an impenetrable network perimeter. Elevate the voice of your cyber threat intelligence team to create a data-informed picture. 

Leaders must also map their companies’ cybersecurity with their business strategy and align protection of the most important assets -- their Crown Jewels -- with their cybersecurity investment. Just as a bank’s armored vaults protect its gold bars, a company’s cybersecurity focus must be its most important and critical assets. Stratifying your assets and discovering the greatest threats they face enables you to apply overprotection where it is needed most, including controls, reporting, and governance. 

Lean Into Force-Multiplying Partnerships  

General Paul M. Nakasone, director of the National Security Agency, often says, “Cyber is a team sport.” No one stakeholder in the cybersecurity ecosystem can unilaterally provide full-spectrum cybersecurity, from detection to remediation. Leaning into collaborative partnerships with industry, academia, and government can be force-multipliers for indigenous cybersecurity capabilities. 

Information Sharing and Analysis Centers (ISACs) are central clearing houses that triage cyber threats and vulnerabilities by industry and geography. For example, the Multi-State ISAC provides best practices for budget- and technically constrained state and local governments to cut through the chaff of the menu of IT and cybersecurity options and prioritize what is important.  

Public-private cybersecurity programs, such as the Department of Homeland Security’s CISA Central, enrich a company’s situational awareness of the universe of cyber threats. Deepening relationships with regulatory bodies such as the National Institute of Standards and Technology eases compliance with the rapidly evolving regulatory environment to avoid costly fines or penalties.  

Streamline Governance and Incident Response 

Comprehensive data and security governance enables organizations to use limited resources more efficiently. By streamlining governance of IT security, OT security, and critical business information, leaders can improve the overall effectiveness and agility of their cybersecurity strategy. 

Companies can harness advances in AI and automated threat detection to anticipate and preempt potential cyber incidents, such as pattern recognition, for example. (ICS)2 reports that more than 40% of companies will look to further increase automation in cybersecurity operations if the economy worsens. When perimeters are inevitably breached, automating can shorten the response time for prompt and robust incident response and improve the potential impact of a cyber-attack. In addition, integrating Secure by Design principles automates a reusable set of security controls into technology deployment or the software development lifecycle. This helps companies quickly find and take corrective action on vulnerabilities and misconfigurations, reducing labor and time spent on remediating security issues.  

Empower Your People 

When it comes to cybersecurity, your employees can be either your biggest risk or your biggest asset. On the one hand, nearly 8 out of 10 cyber-attacks are caused by human error. On the other hand, your people are on the frontlines of your cyber defense. Ensuring these employees are equipped with the necessary training and level of engagement is critical to your successful cybersecurity strategy. Upskilling programs can help companies deploy underutilized employees to plug urgent cybersecurity talent gaps.  

The best defense is preparation. In today’s environment, companies must assume malign cyber operations are inevitable and pose significant business, continuity, and operational risk. By taking a smart, measured, and calculated approach to cybersecurity, companies can effectively traverse the tough cyber waters while reducing their risk and exposure. 

About the Author(s)

Evan Rosenfield

Consultant, Boston Consulting Group

Evan is a consultant at the Boston Consulting Group and former cyber and counterterrorism officer in the US government.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights