Rethink your cyber budget to get more out of it

Cyber budgets will rise for half of the businesses surveyed

Fifty-five percent of technology and security executives in our Global DTI 2021 survey plan to increase their cybersecurity budgets, with 51% adding full-time cyber staff in 2021 — even as most (64%) executives expect business revenues to decline. Clearly, cybersecurity is more business-critical than ever before.

Still, 26% will need to do more with less, and 13% will have to make do with static budgets. “The circumstances we find ourselves in with the economy are putting a lot of pressure on security organizations to make sure that the investments we're making are efficient and high-value,” says Katie Jenkins, CISO, Liberty Mutual.

Getting the most value for every cybersecurity dollar spent becomes more critical as entities digitize: every new digital process and asset becomes a new vulnerability for cyber attack.


More are increasing cyber budgets than decreasing them in 2021


Most executives lack confidence in the budgeting process

More than half (55%) of business and tech/security executives lack confidence that cyber spending is aligned to the most significant risks. Or that their budget funds remediation, risk mitigation and/or response techniques that will provide the best ROI (55%). Or that budgets provide the resources needed for a severe cyber event (55%). Or that the process monitors the cyber program’s effectiveness compared to expenditures (54%).

Cyber budgets could — and should — link to overall enterprise or business unit budgets in a strategic, risk-aligned, and data-driven way, but 53% lack confidence that their current process does this.

And with regard to preparedness for future risks, executives are not confident that cyber budgets provide adequate controls over emerging technologies (58%).

With confidence lagging in the process used to fund cybersecurity, executives say it’s time for an overhaul. Forty-four percent say they’re trying new budgeting processes, and considering how best to convince the CEO and board to assign needed funds. Nevertheless, more than one-third strongly agree that organizations can strengthen their cyber posture while containing costs — thanks to automation and rationalization of tech.


Confidence in current cyber budgets and processes is low today (Percentage of respondents who are not ‘very confident’)


Our cyber budget/process is:

Linked to overall enterprise or business unit budgets in a strategic, risk-aligned, and data-driven way
%
Includes process monitoring the effectiveness of our cyber program against the spending on cyber
%
Allocated towards the most significant risks to the organization
%
Focused on remediation, risk mitigation, and/or response techniques that will provide the best return on cyber spending
%
Integrated with decisions on capital requirements needed in the event of a severe cyber event
%
Adequate digital trust controls over emerging technologies for security, privacy, and data ethics
%

Source: PwC, Global Digital Trust Insights Survey 2021, October 2020: base 3,249
Q: Regarding your organization’s current cyber budget and processes, how confident are you with regard to the following?

Putting a dollar amount on cyber risk is a must

Cyber managers can do more with less, but to do so they need to quantify cyber risk and use the information to make smart choices that protect the business’s security, privacy, and cash flow.

Seventeen percent of the executives in our Global DTI survey have quantified cyber risks, and are realizing benefits from doing so. For instance, a highly acquisitive company that quantifies cyber risks can evaluate deal opportunities faster and more systematically. A financial institution that handles millions of transactions a day can do daily and weekly threat and vulnerability assessments — staying alert to the performance of underlying controls and any need to reallocate resources.

Cyber risk quantification is not for the faint-hearted, with many obstacles in the way: lack of a widely accepted model, lack of people who understand cyber and risks from a business lens, and lack of scalability. Nevertheless, nearly 60% are beginning to quantify risks or have implemented at scale. And nearly everyone else (17%) plans to begin risk quantification within the next two years.

Raising confidence in budget decisions

The economics of cybersecurity has long focused on the cost side (compliance, updating capabilities, and so on). This must change. The cyber strategy reset — considering cybersecurity in every business decision — means connecting cyber budgets to overall enterprise or business unit budgets in a strategic, risk-aligned, and data-driven way.

Putting a dollar amount on the value of a cyber project, in terms of risk reduction or less costly compliance, allows comparison of the costs and value of cyber investments so they can be prioritized. Quantification also makes it easier to measure the value of the overall portfolio of cyber investments against business objectives. This kind of rigor and sophistication will be increasingly demanded — especially as the markets and regulators hold CEOs and board members more accountable for cybersecurity and privacy.

“The circumstances we find ourselves in with the economy are putting a lot of pressure on security organizations to make sure that the investments we're making are efficient and high-value."

Katie JenkinsCISO, Liberty Mutual

Contact us

Sean Joyce

Sean Joyce

Global Cybersecurity & Privacy Leader, PwC US; Cyber, Risk & Regulatory Leader, PwC US

Follow PwC Mauritius