Most organizations are uncertain about the effectiveness of their cybersecurity investments, despite increasing budgets and rampant cyber incidents, according to Optiv’s 2024 Threat and Risk Management Report.

The report highlights that while cybersecurity budgets have seen a 59% year-over-year increase, only 36% of respondents have a formal approach to determining these budgets, leading to potential inefficiencies and missed opportunities to address critical security gaps.

Based on an independent Ponemon Institute survey, the study revealed that 61% of respondents experienced a data breach or cybersecurity incident in the past two years, with 55% reporting four or more incidents.

Despite increasing investments in cybersecurity, 40% of organizations believe they have too many security tools, hindering effectiveness, while only 29% feel they have the right amount.

The report revealed the top investment areas for 2024 include internal security assessments (60%), identity and access management (IAM) programs (58%), and additional cybersecurity tools (51%).

However, only 36% of respondents have a formal approach to budgeting, potentially leading to inefficiencies.

Nearly three-quarters (73%) of organizations surveyed said they are adopting security orchestration automation and response (SOAR) technology to improve incident response efficiency.

Develop Security Roadmap, Define Budget

Randy Watkins, CTO at Critical Start, said the lack of a formal approach to budgeting often reflects a more important lack of a formal approach to risk management.

“Budget requests from security leadership should be made based on the organization’s unaccepted risks, and what’s necessary to mitigate those risks,” he said.

He added for organizations struggling to develop this security roadmap, a risk assessment or framework alignment assessment are great places to start.

This includes assessing the current security posture, identifying gaps exposing unacceptable risks, and creating a roadmap to mitigate those risks, associating the cost to mitigate with the projected cost of exploitation.

“With the increase in budget ask, and the corresponding increase in ROI ask, security leaders should build relationships with their CFO and finance teams,” Watkins advised.

He noted that CFOs have begun getting more involved with cybersecurity, as it represents a high area of risk to revenue from brand reputation to operational disruption and ransom payments.

Focus on Automation, Data-Driven Approach

Luigi Lenguito, CEO of BforeAI, said the focus of IT security teams should be on impactful programs at scale, noting automation can reduce repetitive and distracting “busywork” and can be one of the best choices a security leader can make.

“It isn’t about more tools, it is about using tools to augment human resources by improving operational efficiency,” he said.

Lenguito said organizations must be able to monitor, identify and remediate phishing and other brand-related threats through both conventional means, for example identifying existing malicious infrastructure and taking it down.

They must also deploy advanced machine learning to quickly perform preemptive blocking and takedowns when this infrastructure can be traced back to malicious owners.

“While the old methods still work, malicious actors are using AI to execute these operations at a scale we didn’t see before,” he said. “We need to fight fire with fire – using machine against machine, as volume and variety keep increasing.”

Chris Morales, CISO at Netenrich, said he agreed embracing technology that amplifies IT and security teams’ capabilities enables them to stay ahead of threats despite budgetary constraints.

“The solution is not simply acquiring more tools or hiring more talent but a strategic shift towards a data-driven approach,” he said.

This approach empowers IT and security professionals, unlocking greater value from existing investments while enhancing the work environment for security and operations teams.

From Morales’ perspective, investing in AI-enabled security technologies and transforming the SOC, CISOs, and CIOs in their organizations can create a resilient security posture that supports broader business objectives while addressing the root causes of security burnout.

“Cybersecurity is not just a cost center,” he said. “It is a critical component of overall business resilience and trust.”