Cybersecurity ops budgets expected to climb: KPMG

Dive Brief:

While four out of 10 cybersecurity leaders reported their company was hit by a recent cyberattack that led to a security breach, most (85%) were still confident in their security operations center’s ability to prevent “increasingly sophisticated” attacks, according to the results of a cybersecurity survey conducted in April and released Monday by Big Four accounting and consulting firm KPMG.
The respondents — comprised of about 200 chief information security officers, chief security officers and AI security officers at firms with at least $1 billion in revenue — also expect more resources to bolster their defense going forward, with a majority (87%) anticipating their company’s SOC budgets and headcount will increase by under 20% over the next two years, according to the findings. Currently, the average annual SOC budget stands at $14.6 million, according to KPMG.
The anticipated boost in security budgets comes amid a growing number of cyberattacks against large organizations, according to Ryan Budnik, director of cyber threat management at KPMG. Chief information security officers are “acknowledging that there is an expanding footprint of devices and technologies and business that they need to cover and protect,” he said in an interview.

Dive Insight:

The SOC team is front and center in handling cyber threats, acting as a kind of “one stop shop” to help organizations mitigate, prevent, contain, respond to and recover from cyber attacks, Budnik said. While organizational structures differ, Budnik said the center typically reports to the CISO, who is often a peer of the CFO. The finance chief allocates the budget to the CISO, who would oversees the SOC operations, he said.

The anticipated increase in the SOC budget over the next 24 months comes as some had estimated a single digit rise in overall tech spending this year: Gartner forecast that worldwide IT spending was poised to tick up 6.8% to $5 trillion.

Some of the SOC plans are likely to be more robust than others. Of the 68% of respondents who expect their SOC budget to increase over the next two years, just 13% expect it to increase by 20% or more, 41% expect budgets to rise between 10% but under 20%, and 46% expect the boost to be under 10%, according to KPMG’s findings. Just 1% are anticipating their SOC budgets to decrease.

Cybersecurity has risen as a C-suite level priority in recent years, amid a rise in sophisticated and costly cyberattacks as well as growing regulatory pressures such as the Securities and Exchange Commission’s rules that require a “material” cybersecurity incident to be disclosed to the SEC within four days.

“The SEC requirement is forcing a conversation…really forcing the CISO to frame it within the organization as a business risk,” Budnik said, noting that putting a price tag on the value of the security is not easy. “That dollar saved coming out of security is hard to quantify.”

The study’s findings regarding how the security leaders spend SOC money show that the allocations of the SOC budget are spread fairly evenly across different aspects of the center’s activities, with 19% spread on prevention expenses to 16% spent on response and remediation. While companies have been talking about “shifting left,” meaning seeking to put more of their efforts into prevention, Budnik said it was understandable that spending on response remains a focus.

“When those incidents happen, everybody drops their pencils and everyone focuses on that,” Budnik said. “So typically that’s where the budget, I suspect, is being focused because when a breach is occurring everyone needs to focus on that, worrying about prevention at that point is less important.”