Building cyber resilience through smart investments and budgeting

By Andre Swart, Managing Director, Ziyasiza Consulting Pty Ltd

A purposeful IT budget for an organisation is an often overlooked but essential tool that assists in defining its cybersecurity posture. It is also a good indicator of cyber resilience.

Leaders who compile and manage these budgets make choices frequently based on historic trends, rather than the organisation’s strategic priorities. This disconnect reinforces the false assumption that critical aspects of cybersecurity are accounted for.

This is because today’s organisations have pressing and competing technology challenges that require strategic prioritisation and allocation of resources.

For instance, budgets and people are strained by the increasing sophistication and rapid pace of cyber threats, and business leaders are confronted with tough investment decisions to safeguard data and embed cyber resilience.

At the same time, data privacy regulations require significantly more robust data protection mechanisms, regular privacy assessments and compliance audits to mitigate risks associated with data breaches.

There is no clear-cut formula for determining the proportion of budget required to provide effective cybersecurity cover. While some surveys suggest that cybersecurity budgets should range between five and 15 percent of the IT budget, the reality often falls short of this estimate, creating space for organisations to become ill-prepared to counter the onslaught of cyber threats.

 

Hit-and-miss resource allocation

In addition, false assumptions in the budget can put the organisation at risk of systemically fragmenting its cybersecurity strategy and may inadvertently embed cyber vulnerabilities in the long-term. A weakened state of cyber readiness reduces the organisation’s ability to respond to cyberattacks, which directly increases the risk of loss of revenue, customer impact and reputational damage.

The traditional design of technology budgets – covering IT infrastructure, software, communication and cybersecurity – frequently obscures the true scope of IT resources and investments. It is not uncommon, for example, to account for firewalls as IT infrastructure and cybersecurity training for employees to be held within a departmental budget. It becomes exponentially harder to understand the cyber risk landscape when the resources are not identified as cyber resources.

In my experience, when preparing their IT budget, leaders tend to start with considerations of tangible technology investments like products or solutions that can be installed, experienced and show depreciation in financial statements. Of course, organisations must reserve funds for regular technology refresh cycles to avoid obsolescence. But a technology-first perspective should not be the starting point of the cyber budget planning process.

 

Risk-led budget framework provides a clear view

One of the most critical foundational steps for any cybersecurity budget is conducting a comprehensive risk assessment. Organisations that prioritise risk management are better positioned to identify and address vulnerabilities and potential threats, allocate resources where they are most needed and optimise their cybersecurity posture. Important activities to undertake in an assessment would be a review of IT Governance, Risk and Controls, the organisation’s risk and threat landscape, existing and evolving compliance and regulatory requirements, as well as third-party risk.

Given that humans are the weakest link in cybersecurity, the second key step entails focusing on people. This will ensure the organisation’s people are adequately informed and educated about cybersecurity on an ongoing basis. In a talent-constrained market, I always recommend that the cyber budget should ensure that funds for effective cyber talent management are accounted for. It is becoming more difficult for organisations to attract and retain top cyber skills, and consideration must be given to competitive remuneration packages, continuing employee development and effective strategies to mitigate the risk of skills shortages.

The final step in the budget process should then look at specific technology required to enable the cyber strategy. This highlights the importance of investing in technologies such as AI-driven threat detection, continuous monitoring and vulnerability management. These proactive measures not only enhance threat detection capabilities but also mitigate potential damages from cyber incidents.

It also provides an opportunity for organisations to build a more visible line of sight of their technology infrastructure as well as critical assets, and reassess licence and leasing agreements, policies and service level agreements with third parties to mitigate risk and redundancy.

 

Cybersecurity is a strategic investment

To navigate the evolving cyber threat landscape of the modern world, boards and executives should adopt the view that cybersecurity is a strategic investment, rather than an operational expense. There are five key considerations for leaders:

• Aligning cybersecurity budgets with overall business strategy, objectives and risk appetite poses a significant challenge for many leaders. This requires collaboration between IT, finance and leadership to prioritise investments effectively.
• Conducting regular risk assessments helps identify potential threats and vulnerabilities across the organisation and its third-party ecosystem. This proactive approach enables informed decision-making in budget allocation.
• Reclassifying and defining cybersecurity expenses can be complex in any organisation. It is not merely about IT infrastructure but also includes investments in threat intelligence, employee training and incident response capabilities.
• Outsourcing services to third-party vendors introduces additional vulnerabilities. Managing and monitoring these risks require dedicated resources and oversight to ensure that partners adhere to robust cybersecurity standards.
• Beyond technology, investing in skilled people, training programmes and strategic partnerships enhances the organisation’s ability to detect and mitigate cyber threats effectively.

 

Compiling and executing multidimensional budgets and reporting requires a strategic approach. A robust cybersecurity budget is not just a financial exercise but a critical component of effective risk management. While preparing a comprehensive IT budget may seem daunting, embracing a risk mindset ensures that it will be robust and relevant. This approach not only identifies strategic investment priorities but also equips boards, executives and managers to strengthen cyber resilience, protect the organisation from cyber threats and build stakeholder trust.