Index Insider: Can You Pay for Cybersecurity Performance?

Hello. This is Alex Bakker and Doug Glair with your weekly briefing on what’s important in the IT and business services sector.
If you’d like to read this on the web, click here, and if someone forwarded you this briefing, consider subscribing here.


We recently completed the 2023 Cybersecurity Buyer Behavior Study, which looked at the key challenges facing large enterprises. One of the first analyses we conducted in the study was to identify what makes organizations successful at reducing their cybersecurity risk.
When we looked at the number of security incidents organizations were reporting in 2023, we saw an interesting and seemingly obvious connection with the organizations’ cybersecurity budgets. Organizations spending the least on cybersecurity – budgets that amounted to less than .5% of their revenue – reported many more cyber incidents than those spending >1% of revenue (see Data Watch). The obvious conclusion is that organizations that spend more on cybersecurity will get better outcomes.
But is that really true?
While it is tempting to believe that an organization can simply pay for better performance, data elsewhere in the study suggests that a greater budget allocation for cybersecurity may be an outcome, rather than a cause, of an effective organization.
We asked organizations a series of detailed questions on how various executive and functional leaders in their organizations (e.g., CIO, CISO, CFO, CMO, COO, Legal, Communications, etc.) were involved in creating cyber resilience plans, evaluating security solutions, making technology decisions and participating in cyber audits and compliance functions. What we discovered was that organizations with smaller cybersecurity budgets generally concentrated their cybersecurity decision-making with the CIO and the CISO and involved other roles less. Organizations with greater cybersecurity budgets, however, spread their cyber decision-making to a much wider group.
In our experience, this data validates what we see in the market: companies that prioritize reducing overall cybersecurity risk can build stronger strategies and business cases for investment and receive larger budgets. It is not enough to simply spend more; the increased spending follows strong strategy, governance and risk management at the leadership level.
The takeaway, then, is that organizations with lower cybersecurity expense - and greater numbers of cybersecurity incidents - need to amend their organizational approach to cybersecurity more than they need to amend their spending. Cybersecurity is a business challenge, not just an IT or CISO one. Everyone has a role to play in the decisions a company is making to reduce its cybersecurity risks.


Percentage of Companies Reporting Cybersecurity Issues Differs According to their Cybersecurity Spending


About the author

Alex Bakker

Alex Bakker

Alex leads the Primary Research Team where he focuses on study design, panel research, and interview based research for ISG. In addition to leading the Primary Research practice at ISG, Alex also serves as the lead analyst on provider pursuit effectiveness, and helps IT service providers understand how they can improve performance in the competitive process. 
LinkedIn Profile