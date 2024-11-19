Recent years have seen a general cost-cutting in organisations caused by economic pressures. Many organisations have seen a fall in customer demand due to the cost-of-living crisis, as well as inflationary pressures affecting costs. Higher interest rates, increasing organisations’ cost of capital, are another factor.

There’s also a sense of fatigue associated with spending on cyber security. Businesses’ spending on cyber has been increasing year-on-year for a sustained period of time, and a tendency has crept in for organisations to feel that, by now, they have done the necessary investing required to protect themselves, even though the reality is that the cyber threat landscape is ever-intensifying and regulatory pressures are mounting.

Lastly, we’ve seen a ‘platformisation’ of cyber software, with the big suppliers creating cohesive, unified cyber solutions. This encourages CISOs to embrace economies of scale in their spending, allowing them to do ‘more with less’. This has led to reductions in spending on single-use-case software solutions.

All of these factors combined are contributing to a flatlining of cyber budgets over the past 12 to 18 months in many organisations.

What makes organisations feel security is a worthwhile 'cut'? In this area, spending is highly correlated to compliance – often more than risk appetite. Compliance drives action, and this leads to a situation where if the organisation feels compliance has been achieved, the spend begins to plateau as the sense of urgency around cyber dissipates. Some sectors are pushing hard on compliance, for example DORA for financial services in EMEIA and NIS2 for critical infrastructure in the European Union (EU). Spending on cyber security is more robust in these sectors, commensurate with the demands of these regulatory frameworks, but in sectors where regulation is less onerous, the spend is measurably flattening.

How can CISOs and security leaders lobby to maintain their budgets? This is where a shift in perspective is badly needed. The case needs to be made that spending on cyber is a value investment – not just a risk management cost. Organisations need to start regarding cyber as an enabling ecosystem which unlocks value in multiple ways. It can enable AI implementation right across the organisation, for one thing. It can help enable acquisitions, for another. Creating a strong platform can also differentiate the organisation in the eyes of customers. All this contributes tangible value. This is an important shift in mindset, from a perspective that views cyber only as a cost to one that understands it as an enabling infrastructure that links directly to the value generated by the products and services it underpins.

Over 60% of European security pros say their teams are understaffed, and over 50% don’t have enough budget, according to data from ISACA.

Few IT leaders surveyed in the TechTarget/Enterprise Strategy Group 2024 Technology Spending Intentions study say they are spending less this year. This new perspective should enable businesses to consider that, instead of relying solely on central funding for cyber, they can allocate to cyber a share of their budgets for new initiatives – on the basis that an optimal cyber infrastructure is a necessary condition of the initiative’s success. It’s also useful to quantify the effectiveness of cyber spend, using Cyber Risk Quantification to demonstrate the tangible link between risk reduction and spend.

How can CISOs and security leaders increase their budgets? One of the main things cyber can enable is AI, and this is becoming the fastest-moving – and fastest-growing – change catalyst in the whole landscape. There is no doubt that AI is a cyber threat multiplier, allowing cyber criminals to become better at what they do: better malware, better phishing, and so on. This means that the custodians of business need to become better, too. And that’s going to require ongoing investment, and an ongoing evolution of the tools and solutions we implement, to enable organisations to try and keep up with the criminals. As cyber criminals avail themselves of AI to create more effective cyber-attacks, organisations are going to need to fight AI with AI. It is important to look at opportunities to automate cyber defence, especially in key use cases around Threat Detection and Response, Automated Testing and User Access Rights management. EY’s research shows that one of the key indicators of organisations who perform best in cyber security is that they consistently adopt emerging technology – especially automation – quickly. Companies who can ingrain that technology-friendly approach are the ones that suffer the least from being attacked. AI phishing At EY we have seen a significant increase in our clients identifying AI-generated phishing emails. Clients are also being actively targeted by AI-generated video and voice calls (vishing). This kind of scam attempt is on the rise, as AI enables close approximation of a person’s voice and mannerisms, to attempt to deceive or defraud that person’s colleagues or family members. This is a significant threat, and addressing it is going to require both the development of anti-vishing tools – such as audio analysis tools that can tell when a voice is fake – as well as a more general culture of caution that helps people to not fall prey to the criminals.