Knee-jerk security budget reactions and impractical expectations are hampering the ability of CISOs to make business-critical security investments. Credit: Shutterstock / Kenchiro168 Misguided expectations on security spend are causing problems for CISOs despite notable budget increases. That’s according to new research from risk and cybersecurity solutions provider BSS, which surveyed 150 security leaders. It found that while most CISOs are experiencing noteworthy increases in security funding, impractical expectations of budget holders are leading to significant amounts being spent on what’s hitting the headlines instead of strategic, business-centric investment in security defenses. This lack of understanding shows that a lot of work needs to be done to ensure that information security receives the attention it deserves, especially in the boardroom, the report said. The Information Security Maturity Report, which was released earlier than the BSS research, revealed that just over half of the 182 security leaders surveyed saw their budgets increase from last year, although the degree of increase was typically lower when compared to the previous year’s report. Key factors contributing to increased spending include the evolution of the cyber threat landscape (39%), keeping up with peers (21%), and investing in recruitment and training (18%), the report found. CISOs seeing significant budget increases after high-profile cyber incidents Overall, 61% of the security leaders surveyed by BSS have seen their security budgets increase, with the highest finding (73%) among CISOs with an annual security budget of £500,000 to £1 million, according to the report. Most CISOs cited increases of between 10% and 30%, on average. Perhaps most tellingly, 78% of CISOs said they have received extra budget after high-profile cyber incidents such as data breaches and ransomware attacks, symbolic of changing attitudes to information security in organizations, the report said. However, knee-jerk reactions in relation to increased budgets lead to over half (55%) of CISOs having to allocate funds towards addressing issues reported in the media rather than making more tactical business decisions, BSS said. This is often a symptom of impractical expectations of budget holders when threats to the business aren’t fully understood, said Chris Wilkinson, director at BSS. “Our research shows a problematic lack of understanding by the wider business of the current threat landscape and where budgets should be spent.” Cybersecurity does not top board agendas, CISOs lack voice in the boardroom This problem is exacerbated by the fact that security is often not high enough on the agenda of boards, the report said. Just 9% of CISOs said information security is always in the top three priorities on the boardroom’s meeting agenda, and less than a quarter (22%) of CISOs are actively participating in business strategy and decision-making processes. To make a shift, CISOs need to leverage heightened awareness of security to their advantage, BSS said. “This is an excellent opportunity for security leaders to educate the board on the most critical threats and the potential business impacts of these threats if they are not addressed,” the report read. Talking to the board about cybersecurity in a way that is productive can be a significant challenge for CISOs, and failing to do so effectively can result in confusion, disillusionment, and a lack of cohesion among directors, the security function, and the rest of the organization. Mistakes that CISOs often make when speaking to the board include using over-technical security language, focusing on the wrong threat impacts, failing to prepare for potential questions, and relying on out-of-box cyber risk reporting. In March, the UK National Cyber Security Centre (NCSC) published the Cyber Security Toolkit for Boards including resources designed to help board members understand and govern cyber risk more effectively. Related content news CISA, FBI urge developers to patch path traversal bugs before shipping The advisory highlights how developers can follow best practices to fix these vulnerabilities during production. By Shweta Sharma May 03, 2024 3 mins Vulnerabilities news Microsoft continues to add, shuffle security execs in the wake of security incidents The company has appointed new product security chiefs as well as a customer-facing CISO as it continues to respond to high-profile attacks on its products and own network. By Elizabeth Montalbano May 03, 2024 4 mins CSO and CISO feature Malware explained: How to prevent, detect and recover from it What are the types of malware? How does malware spread? How do you know if you’re infected? We've got answers. By Josh Fruhlinger May 03, 2024 18 mins Ransomware Phishing Malware brandpost Sponsored by Cyber NewsWire LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely from Any Browser, Anywhere Early adoption by Fortune 100 companies worldwide, LayerX already secures more users than any other browser security solution and enables unmatched security, performance and experience By Cyber NewsWire May 02, 2024 4 mins Cyberattacks Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe