Four Areas Where You’re Spending Too Much and Four Where You’re Spending Too Little on Cybersecurity

Industry estimates suggest that companies spend up to 75 percent of their security budget on prevention technologies alone, leaving only a quarter to cover other categories. While cyberattack prevention is important—we’d all love to stop cyber-attacks before they happen—it can’t control everything. Here are four areas where we see overspend and four where you’re probably not giving enough attention. Maximizing your security budget to align with business objectives, industry, and unique company position is critical to our CyberLean approach.

Cyber Budgets Tend to Overspend

Four Areas Where Cyber Budgets Tend to Overspend


These are products or services designed to detect and block a cyber threat before it succeeds. Firewalls, antivirus, intrusion prevention systems (IPS), advanced malware protection solutions, cloud-based email filtering solutions, and others are all considered prevention technology. However, motivated attackers will continue to find novel ways to get past preventative controls, so IT and security need to balance their infosec budget among multiple security categories.

Low Impact Risks

Perform a risk assessment to identify the costs associated with identified risks. Spend money to address the high likelihood and high-impact risks based on:

  • Software and operational downtime
  • Loss of business, customers, and money
  • Reputational loss

Additionally, organizations could perform a controls assessment to gain a better understanding of their control performance. Correctly identifying the critical controls and any potential control gaps ensures that the organization can efficiently address risks in the future.

Risk assessments and controls assessments have value; however, performing a risk assessment allows an organization to work backward and ensure that every risk is acknowledged and managed by controls.

Dealing with Technology Bloat

It’s easy to allow the number of applications and infrastructure to bloat over time. A lack of coordination leads to a loss of efficiency that increases evident and hidden costs. Performing a Technology Rationalization highlights areas where organizations should eliminate excessive processes or tools.

Maintaining Legacy Systems

Companies relying on legacy IT systems typically perform fewer functions at a higher cost; keeping them just builds technical debt. Alternatively, invest in modern IT to decrease risk, create a cloud strategy, and update cybersecurity protection options.

Cybersecurity Security Budgets Need to Grow

Four Areas Where Most Security Budgets Need to Grow

Conduct Regular Cybersecurity Assessments

Cybersecurity and risk management assessments allow the organization to identify and prioritize general and specific risks they face. According to CyberShark, industry leaders like IBM believe that “a healthy cybersecurity budget should make up nine to 14% of your overall IT department’s annual budget.” Many companies spend less than six percent of their budget on risk management and cybersecurity. That’s far too low for most mid-tier or large organizations.

Add Detection and Response to Your Cyber Mix

These solutions help identify and clean up a threat after it has infected a network. In other words, when an attack or malware makes it past preventative defenses, these products help IT learn about the threat and remediate it. Some examples include endpoint detection and response (EDR) products, security information and event management (SIEM) solutions, and other incident handling tools. Some provide integrated risk management that identifies, measures, and remediates.

Comparing three cybersecurity models MSSP vs. SIEM vs. MDR

Which Cybersecurity Service Model Is Right For You?

We compare MSSP, SIEM & MDR.

Read Insight

Focus on Business Continuity and Disaster Recovery (BC/DR)

This includes services and technologies that recover IT systems and data needed to continue business operations after a catastrophe like a cyberattack, natural disaster, or other emergencies. Backup products and services, virtual and cloud-based hosting solutions, and cyber insurance qualify as BC/DR spending categories. A Business Impact Analysis, the first step in a continuity plan, provides much more than emergency or disaster recovery processes and protocols but offers an opportunity to ensure that security aligns with business goals and models and future strategies into new markets or industries.

CyLumena BIA White Paper

Business Continuity Starts with a Business Impact Analysis

Identifying and assessing critical processes, people, and priorities to ensure resiliency, strength, and market confidence.

Download White Paper

Utilize Lean Software as a Service Where Appropriate

SaaS products can give an organization on-demand scale that meets business process requirements now and in the future. Not only can they shrink or increase as needs change, but they reduce IT’s maintenance and the company’s digital footprint. This can lower the overall organizational risk that’s accounted for during security assessments or IT audits. Ensure that your cloud strategy incorporates these products, and that custom cybersecurity controls are in place to manage their unique cloud-based risks.

Reallocating Cybersecurity Budget to Support Business Objectives

Rather than just look at cuts to your cyber budget, we suggest a more strategic approach of aligning spending to business plans and requirements. The net effect could decrease or increase spending, but this approach ensures that spending is targeted and represents business priorities no matter the result.

Our team created the CyberLean approach to accomplish a right-sized budget that supports the business. Whether through business continuity and disaster recovery planning, performing cybersecurity audits and assessments, or providing guidance on the right SaaS security tools, we’re here to help you maximize your cyber investment and return.

Contact Us