Co-authored by Tyler Moore, Scott Dynes and Fred Chang.

Over the past few years, cybersecurity investment processes have changed dramatically. Cyber risk is now a board-level concern, and everyone is sensitive to cybersecurity. What is lacking, however, is an understanding of how firms now prioritize their still-limited security budgets.

How far have investment decisions moved away from the limited gut and sore-thumb approaches that were common a few years ago and toward more systemic quantitative approaches, such as return-on-investment (ROI) models or explicit IT-to-business risk mapping processes and frameworks? How do firms manage cyber risks, particularly when deciding whether to make substantial investments?

To understand today’s cybersecurity investment reality, the Darwin Deason Institute for Cyber Security at Southern Methodist University recently completed an IBM-funded field study with the goal of understanding how firms prioritize their security budgets. The research involved conducting 40 semistructured interviews with directors of cybersecurity (i.e., CISOs and similar titles) from a range of firms primarily in the financial, retail, health care and government sectors.

The interviews provided answers to the core questions and offered important insights into the state of cybersecurity investment today. Here we hit a few of the highlights, but you can download the complete report, “Identifying How Firms Manage Cybersecurity Investment.”

Frameworks Help Prioritize Your Cybersecurity Investment

We were somewhat surprised about the central role frameworks play in defining risk perception and investment. Almost every cybersecurity director interviewed uses a framework to define their firm’s cybersecurity status and prioritize investments. These frameworks ranged from well-known options such as ISO and NIST to homegrown concepts that might be some combination of existing or custom infrastructures.

Some CISOs also value frameworks as a powerful way to make clear to senior decision-makers the business risks faced due to cyber events. This understanding of the potential business impacts enabled CISOs to effectively present the case for projects and report progress. Other inputs into prioritization include industry best practices, past attacks on firms and quantitative measures used to evaluate actions.

Frameworks Emphasize Secure Processes Over Secure Outcomes

We were very interested in how metrics were being used. The interviews made clear that there was much more focus on measuring process than outcome. An emphasis on controls — finding and fixing gaps between current and desired cybersecurity posture — dominates.

There is much less focus on the actual results of cybersecurity efforts, such as examining the costs and effectiveness of controls. For example, very few respondents reported relying on ROI calculations when deciding how much to invest and where. This may be due to the widespread use of frameworks, which promotes the use of process measures.

Read the full report: Identifying How Firms Manage Cybersecurity Investment

Budget Is Not the Major Challenge — Finding Qualified Personnel Is

The power of breach announcements on motivating cyber investment is clear. The recent large breaches splashed across the headlines have focused the C-suite and boards on cybersecurity to the point where budget is generally not a limitation for nongovernmental entities. Some interviewees would say that their senior management wanted to move faster than the CISO thought was advisable.

In other cases senior management would not allocate the full requested budget due to concerns that the CISO’s organization could not execute the number of proposed projects. They weren’t concerned about the budget, but about the size of the effort being more than the available resources could reasonably complete.

The lack of cybersecurity talent also impacts the utility of applications: One CISO stated that he believed he was not making full use of his cybersecurity applications because his staff was not able to employ all the included features.

CISOs in 2015: The New Traditionalists

We were struck by the variety of approaches that the interviewees took and the range of environments they operate in. There were three CISOs whose interviews stand out as exceptional in their approach to cyber risk management. In the past, we’ve always found that these mavericks provide great clarity and insight into the practice and possibilities of cybersecurity; these are the conversations that are most likely to impact our assumptions and thinking.

Instead, we will describe what the “in-liers” look like: In-lier CISOs would probably not report to the CIO, but to whom they would report is quite variable. They would use a combination of frameworks to understand the risks of the enterprise, prioritize cybersecurity efforts and communicate these to senior leadership. This combination would likely utilize the NIST framework to understand the risks more abstractly and the ISO framework at a more concrete level. These frameworks would be applied mainly at the enterprise level.

The results and planned cybersecurity projects would be presented to a cybersecurity oversight board that would include the CEO, CFO, CIO, CISO and other senior leadership. The CISO would have asked for this oversight board to be created since it would give him or her direct access to the most senior executives. Leadership would be supportive of the creation of this oversight board and the CISO’s efforts because they have been sensitized to what can happen to firms that experience breaches.

Our Final Answer

Based on the interviews, we think CISOs today have access to robust resources and processes to manage cybersecurity. Unfortunately, bad actors also have robust resources. We believe that this is a period when many firms will elevate cyber to being a first-class risk that will lead to a significant adjustment to the role of the CISO, who will be perceived more as a risk manager.

We also want to note an unresolved disconnect: On the one hand, CISOs express high confidence in frameworks and their ability to identify and deploy the best controls to improve cybersecurity for their organization; on the other, the steady drum beat of high-profile breaches shows no sign of abating. We wonder if this contradiction results from an overconfidence in the process-based measures and a corresponding lack of emphasis on measuring secure outcomes. What does your organization focus on?

Download the complete Darwin Deason Institute for Cyber Security Research report

More from CISO

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

6 Roles That Can Easily Transition to a Cybersecurity Team

With the shortage of qualified tech professionals in the cybersecurity industry and increasing demand for trained experts, it can take time to find the right candidate with the necessary skill set. However, while searching for specific technical skill sets, many professionals in other industries may be an excellent fit for transitioning into a cybersecurity team. In fact, considering their unique, specialized skill sets, some roles are a better match than what is traditionally expected of a cybersecurity professional. This article…

Laid Off by Big Tech? Cybersecurity is a Smart Career Move

Big technology companies are laying off staff as market conditions change. The move follows a hiring blitz initially triggered by the uptick in pandemic-powered remote work — according to Bloomberg, businesses are now cutting jobs at a rate approaching that of early 2020. For example, in November 2022 alone, companies laid off more than 52,000 workers. Companies like Amazon and Meta also plan to let more than 10,000 staff members go over the next few years. As noted by Stanford…