Why a bigger security budget won't prevent an attack: Here's a better approach

Enterprises must take a risk-based approach to stop cybercriminals, rather than only throwing money at the problem, according to Gartner.

What is the CIO's role in cybersecurity leadership?

Business growth and digital transformation are introducing new cyberattack vectors in the enterprise--but throwing money at the problem won't help your company protect itself against such risks, according to a Tuesday Gartner report.

"Raising budgets alone doesn't create an improved risk posture," Rob McMillan, research director at Gartner, said in a press release. "Security investments must be prioritized by business outcomes to ensure the right amount is spent on the right things."

In a survey of 3,160 CIOs across 98 countries and several major industries, 35% said their organization has already invested in and deployed some kind of digital security. Another 36% said they are actively experimenting or planning to implement this in the short term, the survey found.

SEE: Network security policy template (Tech Pro Research)

Organizations spend an average of 5.6% of the overall IT budget on IT security and risk management, according to a previous Gartner report. However, IT security spending ranges from about 1% to 13% of the IT budget and can be a misleading indicator of program success, McMillan wrote in that report.

Instead, McMillan advocates for a risk-based approach to enterprise cybersecurity, in which businesses adapt their security techniques for the digital age, continuously assessing the ecosystem risk and changing plans as necessary.

"Taking a risk-based approach is imperative to set a target level of cybersecurity readiness," McMillan said in the release.

The vast majority of CIOs surveyed (95%) said they expect cyberthreats to increase over the next three years. However, only 65% said their organization currently has a cybersecurity expert on staff. Digital security staffing shortages were named a top inhibitor to innovation, the report found.

"In a twisted way, many cybercriminals are digital pioneers, finding ways to leverage big data and web-scale techniques to stage attacks and steal data," McMillan said in the release. "CIOs can't protect their organizations from everything, so they need to create a sustainable set of controls that balances their need to protect their business with their need to run it."

The big takeaways for tech leaders:

  • Raising security budgets alone doesn't create an improved risk posture for enterprises. -- Gartner, 2018
  • 65% of global CIOs said their organization currently has a cybersecurity expert on staff. -- Gartner, 2018

Also see

Image: iStockphoto/Jakarin2521