Image: iStockphoto/anyaberkut

With a rise in ransomware and other types of cybercrime, organizations realize they must be better prepared to combat the always growing threat of cyberattack. As a result, many companies expect their security budgets to increase in 2022. But rather than simply pour money into a budget, IT and business executives need to analyze their security and determine where those dollars should go. A new report from professional services network PwC offers tips on how to allocate your security spending.

SEE: Security incident response policy (TechRepublic Premium)

PwC’s “2022 Global Digital Trust Insights” report is based on a survey of 3,602 business, technology and security executives (CEOs, corporate directors, CFOs, CISOs, CIOs and C-Suite officers) conducted around the world in July and August 2021.

Among the respondents, 69% expect a rise in cybersecurity spending next year, up from 55% last year. Some 26% see spending hikes of 10% or more, three times the percentage from last year.

However, the survey results indicate that past investments in security tools and services have so far not fully paid off. Asked about such initiatives as cloud security, security awareness training, endpoint security, managed security services, disaster recovery planning, third-party risk management and zero trust, only a small percentage (less than 20% for each initiative) said that they’ve seen benefits from implementation.

Part of the challenge is that the processes needed to manage and maintain all of the necessary security protections and relationships have become very complicated. In its report, PwC asks the question: “Is the business world now too complex to secure?” In response, 75% of the respondents acknowledged that too much avoidable and unnecessary organizational complexity triggers concerns about managing cyber risks.

As a starting point, PwC suggests asking the following questions:

  1. How can the CEO make a difference to your organization?
  2. Is your organization too complex to secure?
  3. How do you know if you’re securing your organization against the most important risks to your business?
  4. How well do you know your third-party and supply chain risks?

To make sure your security budget is focused on the right measures, PwC offers several suggestions in general and for specific roles in your organization.

In general

  • Treat security and privacy as imperatives. The CEO must convey an explicit and unambiguous principle establishing security and privacy as business imperatives.
  • Hire the right people. Hire the right leader and let your chief information security officer and security teams connect with the business teams.
  • Prioritize your risks. Your risks continually change. Use data and intelligence to measure your risks on a continuing basis.
  • Analyze your supply chain relationships. You can’t secure what you can’t see. Look for blind spots in your relationships and supply chains.

For the CEO

  • Position cybersecurity as important to business growth and customer trust.
  • Demonstrate your faith in and support for your chief information security officer.
  • Understand and accept the problems and risks in your business models and change what needs to be changed.

For the CISO

  • Understand your organization’s business strategy.
  • Build a stronger relationship with your CEO and keep the dialogue going to help your CEO clear the way for effective security practices.
  • Equip yourself with the skills needed to thrive in the expanding role for cybersecurity in business.
  • Build a strong foundation of data trust with an enterprise-wide approach to data governance, discovery and protection.
  • Don’t stop at cyber risks. Tie those risks to overall enterprise risks and to the effects on the business.
  • Create a roadmap to quantify your cyber risks and develop real-time cyber risk reporting.

For the chief operating officer and the supply chain executive

  • Examine your most critical relationships among your supply chain vendors and use a third-party tracker to find the weakest links along the chain.
  • Analyze your software vendors to see if they meet your expected performance standards. The applications and products your organization uses should go through the same type of testing and scrutiny as your own network and other assets. Review the minimum standards for software testing published by the National Institute for Standards and Technology in July 2021.
  • After reviewing your third-party and supply chain risks, look for any way to simplify your business relationships and supply chain. Should you pare down or combine?

For the chief revenue officer and chief information security officer

  • Enhance your ability to detect, resist and respond to cyberattacks via your software. Integrate your security applications so you can manage them in unison.
  • Set up a third-party risk management group to coordinate the activities of all the areas that handle your third-party risk assessments.
  • Strengthen processes for data trust and access. As your data is the target for most attacks on the supply chain, data trust and third-party risk management go hand in hand.
  • Educate your board on the cyber and business risks from your third parties and supply chain.