Business growth and digital transformation are introducing new cyberattack vectors in the enterprise–but throwing money at the problem won’t help your company protect itself against such risks, according to a Tuesday Gartner report.

“Raising budgets alone doesn’t create an improved risk posture,” Rob McMillan, research director at Gartner, said in a press release. “Security investments must be prioritized by business outcomes to ensure the right amount is spent on the right things.”

In a survey of 3,160 CIOs across 98 countries and several major industries, 35% said their organization has already invested in and deployed some kind of digital security. Another 36% said they are actively experimenting or planning to implement this in the short term, the survey found.

SEE: Network security policy template (Tech Pro Research)

Organizations spend an average of 5.6% of the overall IT budget on IT security and risk management, according to a previous Gartner report. However, IT security spending ranges from about 1% to 13% of the IT budget and can be a misleading indicator of program success, McMillan wrote in that report.

Instead, McMillan advocates for a risk-based approach to enterprise cybersecurity, in which businesses adapt their security techniques for the digital age, continuously assessing the ecosystem risk and changing plans as necessary.

“Taking a risk-based approach is imperative to set a target level of cybersecurity readiness,” McMillan said in the release.

The vast majority of CIOs surveyed (95%) said they expect cyberthreats to increase over the next three years. However, only 65% said their organization currently has a cybersecurity expert on staff. Digital security staffing shortages were named a top inhibitor to innovation, the report found.

“In a twisted way, many cybercriminals are digital pioneers, finding ways to leverage big data and web-scale techniques to stage attacks and steal data,” McMillan said in the release. “CIOs can’t protect their organizations from everything, so they need to create a sustainable set of controls that balances their need to protect their business with their need to run it.”

The big takeaways for tech leaders:

  • Raising security budgets alone doesn’t create an improved risk posture for enterprises. — Gartner, 2018
  • 65% of global CIOs said their organization currently has a cybersecurity expert on staff. — Gartner, 2018