Investing in Cybersecurity: Are You Overspending or Underspending?

Determining the proper levels of investing in cybersecurity is challenging. While you want to have the necessary tools, teams, and processes in place to adequately defend your infrastructure, you also do not want to overspend.

For many senior security leaders, it’s a significant challenge. As you budget, you have to justify your expenditures. Yet, the more successful you are at defending your organization from cyber threats, the more others may question the amount of money you are spending to do so. This can easily lead to an imbalance in how much you are investing in relation to your risk.

It’s a common question that organizations ask: are you spending too much or too little?

Overinvesting in Cybersecurity

It’s not uncommon to see organizations that are overspending on cybersecurity in an attempt to harden their systems. Doug Hubbard, risk expert and author of How to Measure Anything, said overinvesting in cybersecurity happens frequently.

He points to a cybersecurity portfolio analysis he did for the Department of Veterans. The analysis uncovered some redundant risk mitigation efforts that allowed them to reduce their cybersecurity spending by $30 million without negatively impacting their security posture.

Hubbard, along with coauthor Richard Sierson, also noted in How to Measure Anything in Cybersecurity Risk, that overspending can sometimes create more risks than they mitigate. Questionable methods have been duplicated across industries and embedded in products that can increase risks rather than mitigate them.

Yet, with escalating attacks, it’s not surprising that cybersecurity spending continues to grow.

A Deloitte study shows that companies have generally increased spending from 0.34% of company revenue in 20198 to 0.48% of company revenue —an increase of more than 41%. Yet, the amount an organization is spending is not the ultimate answer as overspending did not necessarily translate into a higher cybersecurity maturity level.

Overspending can provide a false sense of security that underestimates actual risk. At the same time, money invested in cybersecurity is capital that can’t be invested in other areas of the business. The key, of course, is to spend the right amount and ensure you are properly protected.

Underinvesting in Cybersecurity

Unfortunately, many companies don’t find out that they are underinvesting in cybersecurity until it’s too late. Yet, one incident can be devastating. The global average cost of a data breach in 2022 rose to record levels of $4.25 million, according to the Ponemon Institute’s The Cost of a Data Breach Report. In the U.S., the average cost of a breach was significantly higher at $9.44 million.

The cost of a single incident is as much as two to four times higher than the cost associated with incident response teams and testing. Yet, many organizations continue to underinvest in cybersecurity and don’t have the proper controls or measurements to track performance against real-world threats.

“They’re spending a lot of money on lots of different kinds of controls and systems for tracking controls and tracking performance and looking for threats,” said Hubbard. “And then if you have a team of 50 cybersecurity experts, maybe none of them actually are specialized in quantifying risk.”

Without quantifying risk in a measured way, it is impossible to know whether you are spending the right amount of money to protect your infrastructure.

Investing in Cybersecurity: Are You Spending Too Much or Too Little?

Determining the ROI for any cybersecurity investment is tough. Even the known costs, such as how big a potential loss might be, is just one piece of the puzzle. The real problem for organizations is that they don’t really know whether you are overspending or underspending.

Part of the reason why it’s so difficult to understand risk is that organizations don’t have the empirical performance data they need to know the effectiveness of their security posture. “Leaders are spending a lot of their resources on tools that should keep you protected, but aren’t,” said Christian Sorenson, CEO of SightGain. “Leaders should know if their security systems will work against the latest techniques.”

Hubbard agrees. “The answer to that is getting some quantitative methods in place, so you can actually compute the monetary value of this production,” Hubbard said.

Right-Size Your Cybersecurity Spending and Improve Your Security Posture

The SightGain Threat Exposure Management Platform provides the data you need to make decisions about cybersecurity spending and protection. By using real-time data and testing systems against real-world attacks, you can right-size your security control to optimize costs while continuously improving the effectiveness of your security tools and processes to increase operational efficiency.

Compliance checklists and traditional risk assessments simply do not provide the real-world data you need to accurately measure risk. SightGain’s live-fire scenarios from current threats help you determine the probability and impact of cyberattacks. Not only can you map team performance again risk analysis frameworks like NIST-800-53, CMMC, or MITRE ATT&CK, but you can also quantify your risk exposure and identify security gaps for remediation.

On average, SightGain’s clients improve their threat detection by a staggering 900% while reducing the cost of cyber tools by up to 20%. Looking to right-size your cybersecurity spending and improve your security posture? Schedule a demo of SightGain today.