What’s really going on with the CISOs and their budgets?

 

The 2023 UK Cybersecurity Landscape report from Expel makes interesting reading.

Based on the feedback of 500 IT decision makers, it paints the usual picture around security operations of constant attacks, tools proliferation, analysts burnout and high attrition rates.

There is nothing really new in all this, and we have been commenting on those matters at least since 2021.

While the bulk of the emphasis in the report – and in the commentaries it has attracted –  seems to be on staff wellbeing and turnover, it is a statistic hidden on page 5 that has drawn my attention.

The survey found that “on average, 26.7% of allocated security budgets went unspent” in 2022, leaving – on average – in excess of £50,000 of available cybersecurity budget going to waste last year in each responding organisation.

In the context of the constant cacophony of CISOs complaining about their lack of resources and their difficulties in getting funding, the statistic is plainly staggering.

Or is it really?

In fact, it echoes some of our field experience, and needs to be seen in the context of the “when-not-if” paradigm around cyberattacks, and the change in top-level dynamics it is inducing around cybersecurity.

Frankly, CISOs struggling with budgetary issues in the current context genuinely have to look in the mirror and ask themselves what underlying issue the situation might be hiding.

CIOs often don’t have any problem in justifying the cybersecurity lines in their budgets, in the face of constant cyber-attacks: You truly have to be a brave CFO to cut down on those. Actually, cybersecurity is probably the best protected and most resilient part of the CIO’s budget, in particular in the context of the current post-covid downturn.

The problems are elsewhere.

The “when-not-if” paradigm puts the focus strongly on the execution and delivery of security measures: This is no longer strictly about finding a balance between risk appetite, compliance requirements and costs, but about protecting the business from real threats that can strike at any time with real impact.

The commentary in the Expel reports rightly points to “organisational stress” in its explanation of the statistic (“problems abound, with no clear path on how best to tackle them.”) then moves on to address alert fatigue, burnout, staff wellbeing, and high turnover as if it was directly and obviously related.

I think the issue runs deeper than that. The underspending cannot be simply put down to the difficulty in finding or keeping resources to execute.

Cybersecurity is fundamentally a cross-functional discipline and has always been. You cannot be successful with large scale initiatives around identity and access management, data loss prevention or privacy compliance for example, without the effective involvement of business units, HR and other support functions – and all geographies where relevant.

CISOs are poorly equipped in dealing with those matters because they have been trapped for the last decade in the firefighting of technical incidents and have failed to develop the type of management and political acumen they now require to meet the expectations of senior stakeholders.

So I think the problem around underspending does not lie so much in there being “no clear path” about what to do, but with the CISOs being reluctant to face the rest of the business with real transformative initiatives that would consume the allocated budgets, but also would require them to step out of their firefighting technical comfort zone.

Putting it differently, it is – in my view – their fear of failure, linked to their discomfort around management and politics, that leads to considerable underspending by the CISOs.

The way forward to break that logic will invariably involve looking at the role of the CISO differently, possibly splitting roles and responsibilities to allow the emergence of an elevated CSO role able to steer cross-functional initiatives, maybe by linking them to others in fields such as resilience, privacy or compliance.

It will not remove all tensions around staffing and skills over the short-term, but it could create different dynamics and possibly open the field to different – non technical – profiles, that would allow for a different narrative to build up around cybersecurity to continue attracting more talent.

One thing is certain: Complaining about stress and burnout will never solve the underlying problems faced by cybersecurity functions.

The cybersecurity industry needs to confront the roadblocks that have led to those situations and engage in some self-examination.

It cannot be simply reduced to the business refusing to commit enough resources, as the statistic we have been commenting on appears to show.

 

JC Gaillard

Founder & CEO

Corix Partners

---

Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.

Corix Partners is a Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.