The cost of cybercrime jumped to over $1 trillion in 2020, according to McAfee. That number combines monetary losses (over $900 billion) with the cost of providing cybersecurity (about $145 billion).
To balance the discrepancies between losses and expenditures, cybersecurity spending is expected to jump 10% in 2021. Organizations of all sizes are increasing their security budgets; however, the way they approach spending changed.
"Companies are concerned about cybersecurity breaches, and while fear is still a driving factor, compliance and risk management are taking center stage," said Jenai Marinkovic, vCTO/CISO at Tiro Security and member of ISACA Emerging Trends Working Group.
Because of the pandemic, organizations have to rethink their cybersecurity investment priorities. With the need for cloud services, there is a greater push for cloud security solutions.
The increase in supply chain attacks such as the SolarWinds breach has increased the focus on third-party supplier risk assessments. Data privacy trends shifted focus to investment in AI/ML solutions centered on data protections.
Even as cybersecurity trends and attack vectors have changed, many organizations continue to rely on — and invest in — the same tools and systems they've used for years. While companies may look to increase their cybersecurity budgets, they are actually underinvesting in the solutions needed to meet today's threat landscape.
Attacks will happen no matter how much you spend
Cybersecurity, like IT, is a cost center for companies. It makes sense companies would want to attempt to limit their security efforts to what is necessary.
"For larger organizations especially, it's completely possible to spend every dime a company makes and more on cybersecurity, with diminishing returns, so it's definitely a balancing act," said Mike Wilson, founder and CTO of Enzoic.
However, actual spending more often than not goes toward the bare minimum of what the organization needs to do to stay compliant with industry and government regulations, especially in smaller businesses or those that don't have a dedicated security team.
The compliance-centric security comes despite the constant evolution of attacks. But, even with the best cybersecurity technology and training in place, the most successful attacks take advantage of the human factor and the mistakes people make. That's hard to mitigate, no matter how much you spend.
"While I do think many companies underinvest and more attacks could be thwarted, this is not a problem that is going to go away any more than any other type of crime goes away with better prevention and enforcement," said Wilson.
Spending and cybersecurity posture
The issue isn't how large of an investment in cybersecurity an organization makes, but rather, if it is spending that money properly.
"One of the most overlooked cybersecurity costs is on defending against threats that do not exist anymore," said Ameesh Divatia, co-founder and CEO of cloud data protection company Baffle.
For example, protecting against physical theft of storage was prevalent in the early days of centralized data centers. Due to outdated compliance mandates, that budget allocation still persists, even though it does not impact an organization's security posture.
It is hard to directly correlate cybersecurity spend with a company's security posture. Cybersecurity projects tend to be long-term commitments and it takes time for the value to show up in analysis.
"However, there are certain areas, cybersecurity premiums, for example, that are directly impacted when an organization adopts a new control, such as data-centric protection," said Divatia.
As privacy awareness becomes ubiquitous, another measure of return on cybersecurity investment is how well an organization's brand is impacted by its public data privacy statement that informs consumers of data retention policies and access to customer data.
How security spending has changed
"Over the last five years, we have seen several trends leading to increased security spend," said Marinkovic.
The migration to the cloud drove a transition from capital spending associated with physical systems to expense-based spending. An increase in ransomware and attacker's success in exploiting successful monetization models (such as ransom-based distributed denial of service attacks) has driven insurers to focus on endpoint security, cloud storage security and business continuity.
Understaffing has driven organizations toward engaging consultants or outsourcing entire capabilities, as 66% of respondents say it's difficult to retain cybersecurity talent (an increase from last year), according to the ISACA State of Cybersecurity 2020 study.
These are just a few of the factors driving an increase in overall spending. However, ISACA's report indicated that the rise in cybersecurity budgets remains less than the 64% reported two years ago. Just 58% of respondents anticipated an increase in cybersecurity budgets, an increase of three percentage points from the previous year.
"This increase suggests spending may be leveling out given the five-year trend," said Marinkovic.