Benchmarking your cybersecurity budget in 2023

Knowing which areas to focus on in a cybersecurity budget to drive the most significant business value is a must-have skill for CISOs.

Deloitte recently found that cybersecurity is core to cloud-based digital transformation, accounting for nearly 50% of the initiatives’ success. As they look at benchmarking and budgeting as the first step in driving revenue gains and advancing their careers, CISOs need to capitalize on every opportunity to link their spending to revenue gains. 

That mindset is essential for CISOs who wants to get a board-level position and show that they know how to use cybersecurity budgets to help support and drive revenue.

“I’m seeing more and more CISOs joining boards,” CrowdStrike cofounder and CEO George Kurtz said during a keynote at his company’s annual Fal.Con. “I think this is a great opportunity for everyone here [at Fal.Con and in the industry] to understand their impact on a company. From a career perspective, it’s great to be part of that boardroom and help them on the journey.”

Knowing how much consolidation is enough

Those CISOs who get it are turning their tech stacks’ complexity and high maintenance costs into consolidation opportunities that improve cyber-resiliencies, increase visibility and control and reduce gaps in their security posture. Consolidation is a given for every CISO inheriting a large, complex and costly tech stack that needs to be factored down to improve scale.

CrowdStrike was early in identifying the need to support CISOs who must consolidate tech stacks to help drive more revenue. By devising a growth strategy that benefits their growth and their customers’ security postures, CrowdStrike helps customers strike the best possible balance between consolidation and new investments in software and services. By providing a methodology and internally based benchmarks, CrowdStrike has a strong record of helping customers understand the optimal level of consolidation given their unique business requirements.

Like CrowdStrike, Palo Alto Networks has defined a consolidation strategy for its customers. While their consolidation strategies differ, both CrowdStrike and Palo Alto Networks look to bring greater scale through cost savings while driving upsell and cross-sell revenue. Each maintains a strong focus on getting budgets and benchmarking right. 

Quantify risk to get the board’s buy-in

Selling a board of directors and CEO on a cybersecurity budget must begin by defining it in terms that quickly grab attention and buy-in. CISOs tell VentureBeat that they are most successful in winning budget battles by explaining the downside revenue risk of not securing an enterprise area, then using that data to quantify cyber-risks. 

Further strengthening the case for cybersecurity budget approval requires explaining the potential impact of a breach on revenues and the risks of not having a specific threat detection and response system in place. This must be quantified with cyber-risk data and strengthened with industry-standard benchmarks. Chief risk officers (CROs) and CISOs who collaborate and excel at cyber-risk quantification stand a better chance of having their budgets funded. 

Cyber-risk quantification is a technique for defining and expanding budgets for zero-trust security frameworks and initiatives.

“Risk quantification helps you assess the value of cybersecurity projects using a commonly understood framework that ascribes a financial value to each prioritized decision based on statistical modeling of risk and expected loss,” Mark Tattersall writes in his blog post The Business Case for Risk Quantification.

Quantifying risk is essential to benchmarking in the right context so that CISOs can have guardrails for making the best decisions.

Cybersecurity benchmarking essential to growing a business  

As Kurtz put it at Fal.Con: “Adding security should be a business enabler. It should be something that adds to your business resiliency, and it should be something that helps protect the productivity gains of digital transformation.”

Kurtz’s comments proved prescient, as a Deloitte study completed later in 2022 quantified just how critical cybersecurity is to all digital transformation initiatives — with the cloud being the most important.

“This means that security is now a driver of corporate strategy rather than buried as an operational line item only to be managed and measured as a cost,” Chris Gilchrist, principal analyst at Forrester, said during a session at Forrester’s Security and Risk Forum 2022. “In other words, security now has the latitude to defend and drive growth.”

At the same event, Forrester VP and principal analyst Jeff Pollard hosted a session titled “Cybersecurity Drives Revenue: How to Win Every Budget Battle.” This provided valuable guidance, insights and a helpful framework that CISOs can use to define their budgets by showing the revenue contributions they help protect and make.

“When something touches as much revenue as cybersecurity does, it is a core competency,” Pollard said in his presentation. “And you can’t argue that it isn’t.”

Every cybersecurity vendor knows that if they can help their customers fine-tune budgets with benchmarking, customer lifetime value (CLV) — one of the most valuable metrics of customer success —will be maximized. That’s why leading cybersecurity platform vendors have internal spending benchmarks that they provide to customers and prospects to build a business case. 

It’s best to use vendor-supplied benchmarks to identify wide gaps that cybersecurity and IT teams have yet to consider in budget cycles. No single set of benchmarks will perfectly match a given business’s challenges, so it’s best to consider each set as guardrails on budgeting and planning. There are many versions of the truth for benchmarking cybersecurity spending.

A few of the many cybersecurity benchmarks available are those from AT&T Cybersecurity, Boston Consulting Group, CSO Online, Cybersecurity Dive, Forrester Planning Guide 2023: Security and Risk and SANS.

Clutch also recently released a helpful template showing how to create a cybersecurity budget for small businesses. 

Benchmarking cybersecurity spending

Because every business has a unique set of cybersecurity challenges that are made more complex by their reliance on sales, support and supply chain networks, it’s impossible to have a single, definitive benchmark across all industries. The following guidelines reflect the consensus of the latest benchmark surveys along with interviews that VentureBeat has conducted with CISOs, CIOs and security and risk management (SRM) leaders.

Percent of IT budgets spent on cybersecurity

On average in 2022, enterprises spent 9.9% of their IT budgets on cybersecurity. Tech, healthcare and business services (including insurance) lead all industries in cybersecurity investment. What’s concerning is how little the education, retail and manufacturing sectors spend on cybersecurity. The data below further validate that the manufacturing industry’s security epidemic needs a zero-trust cure.

For most budgets, cloud-based software is in the 20% to 25% range

Consistent with Gartner and IDC’s previous studies, cloud-based software spending typically accounts for 20 to 25% of cybersecurity budgets. The figure could be significantly higher depending on the cloud maturity of a given business and industry.

For example, in tech and healthcare, CISOS tell VentureBeat that cloud-based software spending can comprise 40% of their budget given the tech stack complexity that they’re managing across multiple business units.  

CISOs allocating 20% of their budgets to infrastructure security

Many CISOs aim to revamp legacy tech stacks to protect infrastructure, IoT, industrial control systems and operational technology (OT) apps and systems.

Identity access management (IAM) and privileged access management (PAM) are among the fastest-growing budget categories going into 2023. While the Deloitte study found that 12% of budgets are allocated to IAM, VentureBeat hears from CISOs that this figure is growing faster than the market and that cloud-based PAM systems are helping close gaps in tech stacks.

Lessons learned from CISOs who excel at benchmarking and budgeting 

Seeing benchmarking and budgeting as an iterative process is crucial to success. One CISO told VentureBeat that the benchmarking, budgeting and course-correction cycle needs to become part of an organization’s DNA to succeed. 

CISOs also tell VentureBeat that benchmarking data varies significantly by segment and subsegment of an industry, so knowing the unique challenges is critical. Comparing benchmarking data can locate gaps and identify when actions need to be taken.

One manufacturing company CEO told VentureBeat that the most valuable aspect of benchmarking is finding gaps that no one considered before and course-correcting quickly to close them. That company shifted spend from defense to cyber-resilience coincident with its zero-trust initiative.

Knowing how to navigate benchmark data to build a budget that both funds cyber-resiliency and drives revenue is a skill boards of directors are looking for. The better a CISO gets at balancing the two, the more likely their career will progress.