While the overall size of cyber budgets is an important metric when preparing a cyber strategy, how individual budgets are allocated across different cyber investment areas is equally pertinent.
The survey behind our report, Investing in Cyber Resilience: Spend, Strategy and the Search for Value, found that IT and senior decision makers have different confidence levels around how well cyber investments are made within their organisations. IT decision makers feel more confident than senior decision makers – at 71% and 56% respectively – that their organisations are making investments in the right places.
But where does this difference stem from?
72% of all respondents agree there are different priorities among senior stakeholders when it comes to managing security strategy, which results in conflicts regarding how cyber security budgets are allocated and utilised. Digging into the data, we can see differing priorities across departments. While hybrid working emerged as the most frequently cited challenge across almost all departments, priorities began to diverge when it came to the second and third most frequently referenced issues.
table showing the three most frequently cited 'Biggest cyber security challenges' by department
Department | First | Second | Third |
Information/ |
Hybrid working models 48% |
Compliance with policies is not enforced |
Unsophisticated/ |
Information Technology |
Hybrid working models 51% |
Compliance with policies is not enforced 40% |
Compliance with policies is not enforced 40% |
Finance |
Lack of budget 47% |
Lack of skills/expertise 40% |
Hybrid working models 37% |
Business Direction & Strategy |
Lack of skills/expertise 39% |
Hybrid working |
Lack of budget |
Business Development |
Hybrid working models 44% |
Perceived lack of importance from employees 41% |
Unsophisticated/outdated cyber security tools 33% |
Operations |
Hybrid working models 49% |
Compliance with policies is not enforced 43% |
Perceived lack of importance from employees 40% |
Other |
Hybrid working models 46% |
Perceived lack of importance from employees 41% |
Unsophisticated/outdated cyber security tools 28% |
Issues around the enforcement of policy compliance are prioritised by security teams, IT, and operations. Meanwhile, employee awareness ranks highly among those with business direction and strategy-setting remits. Perhaps unsurprisingly, finance teams consider overall budgetary constraints as their primary concern.
A holistic cyber strategy
In every organisation, certain priorities seen as ‘must-haves’ by one group may be considered ‘nice-to-haves’ by another. A holistic cyber strategy will consider the potential challenges posed by diverging priorities across different functional units. Given the multi-disciplinary nature of cyber security and cyber incident response, achieving maximum buy-in from all relevant stakeholders will be key to the successful rollout of any cyber strategy. Therefore, while strategy setting and cyber budget allocations need top-level drive to succeed, effective implementation will increasingly rely on cross-functional communication and collaboration.
DOWNLOAD OUR LATEST REPORT