Benchmarking your cybersecurity budget in 2023

Knowing which areas to focus on in a cybersecurity budget to drive the most significant business value is a must-have skill for CISOs.

Deloitte recently found that cybersecurity is core to cloud-based digital transformation, accounting for nearly 50% of the initiatives’ success. As they look at benchmarking and budgeting as the first step in driving revenue gains and advancing their careers, CISOs need to capitalize on every opportunity to link their spending to revenue gains.

That mindset is essential for CISOs who wants to get a board-level position and show that they know how to use cybersecurity budgets to help support and drive revenue.

“I’m seeing more and more CISOs joining boards,” CrowdStrike cofounder and CEO George Kurtz said during a keynote at his company’s annual Fal.Con. “I think this is a great opportunity for everyone here [at Fal.Con and in the industry] to understand their impact on a company. From a career perspective, it’s great to be part of that boardroom and help them on the journey.”

Knowing how much consolidation is enough

Those CISOs who get it are turning their tech stacks’ complexity and high maintenance costs into consolidation opportunities that improve cyber-resiliencies, increase visibility and control and reduce gaps in their security posture. Consolidation is a given for every CISO inheriting a large, complex and costly tech stack that needs to be factored down to improve scale.

CrowdStrike was early in identifying the need to support CISOs who must consolidate tech stacks to help drive more revenue. By devising a growth strategy that benefits their growth and their customers’ security postures, CrowdStrike helps customers strike the best possible balance between consolidation and new investments in software and services. By providing a methodology and internally based benchmarks, CrowdStrike has a strong record of helping customers understand the optimal level of consolidation given their unique business requirements.

Like CrowdStrike, Palo Alto Networks has defined a consolidation strategy for its customers. While their consolidation strategies differ, both CrowdStrike and Palo Alto Networks look to bring greater scale through cost savings while driving upsell and cross-sell revenue. Each maintains a strong focus on getting budgets and benchmarking right.

Quantify risk to get the board’s buy-in

Selling a board of directors and CEO on a cybersecurity budget must begin by defining it in terms that quickly grab attention and buy-in. CISOs tell VentureBeat that they are most successful in winning budget battles by explaining the downside revenue risk of not securing an enterprise area, then using that data to quantify cyber-risks.

Further strengthening the case for cybersecurity budget approval requires explaining the potential impact of a breach on revenues and the risks of not having a specific threat detection and response system in place. This must be quantified with cyber-risk data and strengthened with industry-standard benchmarks. Chief risk officers (CROs) and CISOs who collaborate and excel at cyber-risk quantification stand a better chance of having their budgets funded.

Cyber-risk quantification is a technique for defining and expanding budgets for zero-trust security frameworks and initiatives.

“Risk quantification helps you assess the value of cybersecurity projects using a commonly understood framework that ascribes a financial value to each prioritized decision based on statistical modeling of risk and expected loss,” Mark Tattersall writes in his blog post The Business Case for Risk Quantification.

Quantifying risk is essential to benchmarking in the right context so that CISOs can have guardrails for making the best decisions.

Cybersecurity benchmarking essential to growing a business

As Kurtz put it at Fal.Con: “Adding security should be a business enabler. It should be something that adds to your business resiliency, and it should be something that helps protect the productivity gains of digital transformation.”

Kurtz’s comments proved prescient, as a Deloitte study completed later in 2022 quantified just how critical cybersecurity is to all digital transformation initiatives — with the cloud being the most important.

“This means that security is now a driver of corporate strategy rather than buried as an operational line item only to be managed and measured as a cost,” Chris Gilchrist, principal analyst at Forrester, said during a session at Forrester’s Security and Risk Forum 2022. “In other words, security now has the latitude to defend and drive growth.”

By Louis Columbus

Read full source: VentureBeat

Richard Duffy
Overcoming IT Infrastructure Disaster (Updated: 03.24.2023) One of the least considered benefits of cloud computing in the average small or mid-sized business manager’s mind is the aspect of disaster recovery. Part of the reason for ...
Drew Firment
Stop Focusing on Cloud Adoption and Start Focusing on Cloud Maturity For the past several years, most organizations have made it their priority to shift much of their applications and data from on-premises to the ...
Tosin Vaithilingam
Navigating Economic Uncertainty: Strategies for IT Leaders and MSPs Lately, it seems that each day brings news of more economic uncertainty. Companies that have been navigating the pandemic for the past two and a half ...
Sofia Jaramillo
Augmented Reality in Architecture Augmented reality (AR) is a growing field of study and application in the world of architecture. This useful tool can help us visualize architectural designs by superimposing them onto real-world scenes ...
Steve Prentice
The Era of Microlearning Becoming employable and then staying employable requires ongoing, up to date knowledge, and this can become something of a dilemma. Many of us grew up with a traditional understanding of the ...
Frank Suglia
Migrating Microsoft Office 2013 As of April 11, 2023, Microsoft will stop supporting Office 2013. The decision to end support for Office 2013 should come as no surprise. Over the past several years, Microsoft has ...
Gilad David Maayan
Network Security in the Public Cloud What is Network Security? Network security is a strategic approach to securing an organization’s resources and data across the corporate network. It helps protect organizations of all sizes, industries, ...
Stacey Farrar
Modern Auth and Exchange Online Migrations Microsoft has phased out Basic Authentication (Basic Auth), replacing it with Modern Authentication (Modern Auth) to provide increased protection and user security. Through this, Microsoft has turned off Basic ...
Disaster Recovery Plan.png
Cloud For Dummies.png
The Sticky Note.png
Holiday Photos.png


Pluralsight provides online courses on popular programming languages and developer tools. Other courses cover fields such as IT security best practices, server infrastructure, and virtualization. 


(ISC)² provides IT training, certifications, and exams that run online, on your premises, or in classrooms. Self-study resources are available. You can also train groups of 10 or more of your employees.


CYBRARY Open source Cyber Security learning. The world's largest cyber security community. Cybrary provides free IT training certificates. Courses for beginners, intermediates, and advanced users are available.