Despite frequent news headlines describing large-scale data breaches around the globe, chief information security officers (CISOs) still struggle to justify security investments to top leadership. According to Gartner, security spending makes up only about 5.6 percent of overall IT funds.

Whatever security budget is ultimately approved by enterprise leadership, it’s up to CISOs to optimize the allocation of that money. More funds might help, but only if they know how to spend it effectively — and that planning starts before the first pitch. Let’s take a closer look at four key steps security leaders can take to maximize their return on security investment.

1. Assess Risks, Assets and Resources

A CISO should first thoroughly evaluate the systems, data and other business assets that are both valuable and potentially at risk in the organization. Today, this makes up an ever-evolving network, and priorities will shift over time to reflect changes in the business and the threat landscape.

“You should first identify and document the assets you need to protect most,” said Jo-Ann Smith, director of technology risk management and data privacy at Absolute. “What’s important to your business, and what are the main threats to your systems and data?”

That evaluation needs to take place before you even set foot in the executive office or boardroom to advocate for security. Its findings will be foundational to the security program’s goals and budget recommendations. Technologies purchased and the needs they serve will be unique to each business.

In other words, the results of the initial review could mean many different things for different CISOs. The general models provided by industry frameworks can help security leaders shape priorities and identify gaps specific to their businesses.

Kip Boyle, CEO of Cyber Risk Opportunities, noted that the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is the best method to assess cyber risk.

“We find that most companies are underinvested in such key mitigations as indemnity contractual provisions with suppliers and customers, antiphishing training, cyber insurance coverage and crisis management planning,” he said. “Yet these are all crucial to mitigating modern cyberthreats.”

Listen to the podcast series: A CISO’s Guide to Obtaining Budget

2. Align the Security Budget With Business Goals

When demonstrating the return on security investment to executives and board directors, security leaders must speak the language of money. How does security serve the business?

“CISOs should always align with the business when evaluating how to spend,” said Larry Friedman, CISO at Carbonite. “Security spend should be calculated based on the risk associated with assuring continuity with important business processes.”

This goes beyond protecting data and maintaining regulatory compliance. Seeking opportunities to use security funding not just for risk mitigation, but also to boost revenue and accomplish other business wins such as enhanced productivity, helps the CISO position security as a dynamic business enabler rather than a static cost center.

The CISO should implement automated security intelligence and analytics tools to reduce the security team’s busywork and help it focus on more strategic projects. As you analyze opportunities for investment, consider not only how much they cost, but also how much they could save the company or add in value.

3. Hire and Train Good People

The oft-lamented cybersecurity skills gap shows few signs of closing. A recent report from the International Information System Security Certification Consortium (ISC2) placed the worldwide cybersecurity skills gap at almost 3 million unfilled positions, and about two-thirds of businesses believe they have inadequately staffed security teams.

It stands to reason that one of the best investments in a security program is an effective staff. However, in a tight market for employers seeking talent, organizations may have to look inward and invest in training employees who otherwise might not have considered a security career.

By training people that are already part of the organization and recruiting them to work in security, CISOs can offer opportunities for professional growth and build their security teams while taking advantage of the employees’ institutional knowledge.

4. Invest in Security Culture

An effective cybersecurity strategy must include a corporate culture in which every employee values security. But the “2018 Cybersecurity Culture Report” from the Information Systems Audit and Control Association (ISACA) and Capability Maturity Model Integration (CMMI) Institute found that most organizations still struggle with establishing a security culture. In addition, 95 percent of survey respondents noted a gap between their current and desired organizational culture of cybersecurity.

What does it mean to build security culture into business? It’s means getting all employees — from the security team to the executive suite — to feel invested in the company’s security and risk posture and to engage in secure behavior. Investments in security culture could include initiatives such as awareness training, a secure development life cycle program, and rewards for employees who demonstrate compliance and report incidents.

Some numbers bear out the benefit: According to the ISACA/CMMI study, organizations that reported an inadequate security culture are spending 19 percent of their annual cybersecurity budget on training and awareness. Firms that report stronger cultures spent a share more than twice as large on average (43 percent).

In an ISACA blog post about the study results, Heather Wilde, chief technology officer (CTO) at ROCeteer, noted that the benefits of security culture investment go beyond security. A majority of respondents (66 percent) said their organization experienced a reduction in cyber incidents, but Wilde noted that many other benefits were customer-facing: improved trust, stronger reputation and increased revenue, to name a few.

There is no simple answer to the question of how best to allocate security budget dollars, and the optimal course will vary widely from business to business. But a thorough assessment of a company’s current security posture and culture, along with an evaluation of how security can benefit business goals and enable the company mission, gives the CISO a road map for prioritizing investments.

Listen to the podcast series: A CISO’s Guide to Obtaining Budget

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…