Enterprise Risk Management

5 Cybersecurity Spending Areas to Evaluate

Focus dollars to ensure cybersecurity defenses follow the changes in your computing infrastructure.
Bob ViolinoJanuary 28, 2022
5 Cybersecurity Spending Areas to Evaluate
Photo: solarseven

As computing environments change and bad actors switch tactics, most organizations will need to increase or redirect their investment in cybersecurity.

With inflation pushing up costs, the question most CFOs will seek to answer is where spending is producing the most value, said Raj Patel, cybersecurity practice leader at consultancy Plante Moran. The goal, of course, is to better protect the organization against infiltrations of its computing assets while allocating dollars efficiently.

There are five areas in which companies should be shoring up their defenses and analyzing expenditures.

Threat Detection and Monitoring

Organizations generally need to be more proactive about cybersecurity, deploying products that detect signs of intrusion early. “Invest in cyber tools and solutions that help monitor vulnerabilities and detect potential cyber threats,” said Patel. “These tools will act as an early-warning system and limit the damage from an attack.”

Identity-focused products that support a zero-trust security strategy are essential, given the increasingly large numbers of remote workers. At one time, a premium was placed on restricting access from “outside” the network. Those “inside” the network were held to a “trust-but-verify” model.

However, hyperconnected environments have obliterated those old network divisions, said Andrew Morrison, U.S. cyber risk services leader at business advisory firm Deloitte. 

Today’s leading design philosophy or architectural approach to security by design is zero-trust.” – Andrew Morrison, Deloitte

“Today’s leading design philosophy or architectural approach to security by design is zero-trust,” he said. Zero-trust’s new paradigm is akin to “never trust, always verify,” and takes into consideration the complex third-party, supply chain, and business ecosystems of most organizations, Morrison said.

Hybrid and Multi-Cloud

 The rapid move to the cloud and the emergence of hybrid and multi-cloud environments means companies need solutions to protect data everywhere.

Network security and endpoint security are still important, but “embracing public cloud as an architectural model means security controls need to align to the emerging requirements of hybrid infrastructure,” said Ruggero Contu, senior research director at Gartner. 

Dynamic security controls support security from wherever users and devices connect. In some cases, the approach may require security delivered as a service, said Contu.

Also gaining traction are cloud-based frameworks and technologies that deliver multiple product capabilities within a single platform, like secure access service edge (SASE), extended detection and response (XDR), and endpoint protection platforms (EPP). 

  • Secure access service edge (SASE) — A security framework that moves businesses away from network access point solutions and on-premises infrastructure. SASE converges networking and network security technologies into a cloud-delivered platform that gives all network edges of the same level of protection.

  • Extended detection and response (XDR) — Reportedly coined by the founder and CTO of Palo Alto Networks, XDR is a software-as-a-service-based security threat detection and incident response tool. It integrates multiple security products into one security operations system, according to Gartner. XDR collects and correlates data across email, endpoints, servers, cloud workloads, and networks, enabling visibility into advanced threats.

  • Endpoint protection platform (EPP) — A solution deployed on endpoint devices to prevent file-based malware attacks, detect malicious activity and provide the investigation and remediation capabilities needed to respond to security incidents and alerts. EPP solutions are primarily cloud-managed, allowing the continuous monitoring and collection of activity data, along with the ability to take remote remediation actions.

Risk Assessment

Many organizations use cybersecurity “maturity assessments” (also called cyber-risk quantification) to prioritize budget allocation. A maturity assessment is a gap analysis that utilizes best practices and recognized frameworks to answer questions about a company’s security program.

Maturity assessments, however, are only annual. “Low-scoring areas typically receive additional budget and focus for the coming year, to raise [the] maturity level before the next assessment,” Morrison said. “But cyber threats are too dynamic and far-reaching for such a static approach.”

Reacting to and mitigating security threats demands continuous assessment of cyber risk exposure and quick-response strategies, Morrison said. Tools for continuous threat monitoring and dashboarding track real-time risk exposure and potential business impacts in language tailored to C-level executives.

Skilled People

The cybersecurity skills gap is widening. As of early 2022, there were about 435,0000 cybersecurity job openings in the United States, up from 314,000 in 2019, according to Cyber Seek. As the number has grown, so too has the compensation for this group. The average national salary for cybersecurity professionals is $100,473, vs $87,289 for an IT manager. And for IT cybersecurity managers, the average salary is $136, 625, per ZipRecruiter. In part because of this, on average, cybersecurity roles take 21% longer to fill than other IT jobs. 

That should not deter organizations from hiring and retaining the professionals they need to operate security programs. The talent pool includes not just full-time employees but, in some cases, outside service providers or consultants. “Cyber resources are scarce but necessary,” Patel said. “The question is, how many people do you need?”

While the numbers will vary across industries and business models, Plante Moran advises clients up to $100 million in revenue to have at least one dedicated resource (employee or contractor) or third-party vendor/consultant providing cybersecurity. Organizations with $100 million to $500 million in revenue should have two to three dedicated cyber resources; $500 million to $1 billion, five to seven dedicated resources; and those with more than $1 billion in revenue, ten or more dedicated resources. 

Cyber Insurance

Cyberattacks and other incidents can result in enormous expenses, including lost or stolen data, legal fees, regulatory fines, damage to brand, systems downtime, and loss of business. The average cost to the attack target rose to $4.24 million in 2021, the highest level in the past 11 years, according to IBM and the Ponemon Institute.

Buying cyber insurance can lessen the blow of a breach. In AdvisorSmith’s 2020 study of cyber insurance costs, overall, premiums ranged from $650 to $2,357 for cyber insurance, based upon companies with moderate risks. These premiums were based upon liability limits of $1,000,000, with a $10,000 deductible, and $1,000,000 in company revenue. 

“Cyber insurance not only provides financial loss coverage, but also access to forensic, legal, and cyber consultants referred or utilized by the insurance company.” – Raj Patel, Plante Moran

“Have the right level of cyber insurance and review your coverage and limitations annually,” Patel said. “Cyber insurance not only provides financial loss coverage, but also access to forensic, legal, and cyber consultants referred or utilized by the insurance company.”

The one caveat? The market for coverage is still relatively young. As a result, demand for cyber insurance is outpacing supply, resulting in hefty premiums. 


Bob Violino is a freelance writer based in Massapequa, N.Y.