At a time when 24% of IT professionals rate their security and compliance strategy as merely “reactive” and fewer than half of organizations rate their risk visibility as “strong,” the average company only spends 9% of its IT budget on security.
In its "State of Trust Report" released Nov. 8, Vanta also pointed out that at a time when they should spend more on security, 60% of those surveyed have reduced budgets or have plans to reduce them.
Vanta’s report was based on responses from 2,500 business and IT leaders across Australia, France, Germany, the United Kingdom and the United States.
On a more positive note, the IT leaders understand what’s needed: 67% of all respondents believe their business needs to improve security and compliance measures. The respondents said they could save at least two hours each week — over 2.5 working weeks a year — if security and compliance tasks were automated. The biggest barriers to getting customers to trust the company’s security program are a lack of staffing (33%) and not enough automation to replace manual work (32%), they said.
Vanta researchers said companies need to think more about trust management: a holistic approach that aims to to define, manage, mature, and prove an organization’s security and compliance commitments. It’s a concerted and intentional effort for the company to become more secure and communicate that security to instill confidence in prospects and customers.
“Supercharged by AI, trust management is critical to reducing the tedious and repetitive security tasks that pull teams away from their most strategic work,” said the report. “For companies at the forefront of this disruption, centralizing security processes, automating compliance, and accelerating security reviews can turn trust into a marketable advantage. By closing the loop on the security lifecycle from compliance through continuous monitoring and communication, businesses can transform how they build trust and ultimately unlock growth.”
How much should companies spend on security?
The budget dedicated to security will vary depending upon organization size, risk tolerance, industry and regulatory mandates, explained Emily Phelps, director at Cyware. Phelps said historically, security teams have had between 5% to 7% of the IT budget, with those numbers increasing with threat landscape expansion and growing security complexity. Some experts recommend organizational security spending increase to 10% to 15%, covering security programs, compliance and business continuity.
“Traditional security is built to be reactive, and we're finding that to move to a proactive security posture, organizations should prioritize threat intelligence, robust orchestration and automation, and trusted intelligence sharing and collaboration,” said Phelps. “Threat intelligence is a crucial investment organizations need to understand emerging threats and take action before an attack can occur. It must be integrated across security domains and into defensive tools to get a comprehensive view that can be contextualized for teams to respond. To do this, intelligence must be ingested, analyzed, enriched, prioritized, and disseminated to the right people who can take action.”
And while more automated threat intellgence can help companies compensate for the lack of resources, they still must understand that the vast majority of breaches come from untrained people.
Mika Aalto, co-founder and CEO at Hoxhunt, pointed out that of the 9% of IT budgets that do go to cybersecurity, only 6% goes to awareness training, according to Deloitte’s most recent survey. Aalto said hardening the people layer with behavior change training will deliver measurably greater ROI than any other strategic initiative.
“Getting more cybersecurity resources from the IT budget requires board buy-in on its importance to the business and its ROI,” said Aalto. “In the past, I’ve seen a good security awareness program actually do that by making security understandable, and the security team approachable. But I think cyber budgets will expand in the GRC direction with the recent developments in the SEC’s lawsuit against SolarWinds.”
Organizations are finding it increasingly difficult to gain comprehensive visibility, security, compliance and control — to protect every employee, on every device, from every location, said Darren Guccione, co-founder and CEO at Keeper Security. In the cloud, Guccioine said all it can take is one click for a threat actor to gain access to an entire organization if data does not get properly protected and secured.
“The ever-expanding attack surface is particularly concerning with cyberattacks on the rise and IT security teams competing for talent as macroeconomic conditions are tightening budgets,” said Guccione. “Data shows the human element is far more difficult to protect, and often, the most error-prone element of the attack chain. Organizations should focus on implementing modern, elegant and pervasive cybersecurity solutions that seamlessly integrate with identity solutions to provide enterprisewide visibility, security, reporting and control.”