Dive Brief:
- While 2 in 5 cybersecurity leaders reported their security operations center was hit by a recent cyberattack that led to a security breach, the vast majority, 85%, were still confident in their security operations center’s ability to prevent “increasingly sophisticated” attacks, according to the results of a cybersecurity survey conducted in April and released Monday by Big Four accounting and consulting firm KPMG.
- The respondents — comprised of about 200 CISOs, CSOs and AI security officers at firms with at least $1 billion in revenue — also expect more resources to bolster their defense going forward.
- Nearly 9 in 10 anticipate their company’s SOC budgets and headcount will increase by under 20% over the next two years, according to the findings. Currently, the average annual SOC budget stands at $14.6 million, according to KPMG.
Dive Insight:
The anticipated boost in security budgets comes amid a growing number of cyberattacks against large organizations, according to Ryan Budnik, director of cyber threat management at KPMG.
CISOs are “acknowledging that there is an expanding footprint of devices and technologies and business that they need to cover and protect,” he said in an interview.
SOCs are front and center in handling cyber threats, acting as a kind of “one-stop shop” to help organizations mitigate, prevent, contain, respond to and recover from cyberattacks, Budnik said.
While organizational structures differ, Budnik said SOCs typically reports to the CISO, who is often a peer of the CFO. The finance chief allocates the budget to the CISO, who would oversees the SOC operations, he said.
Some of the SOC plans are likely to be more robust than others. More than two-thirds of respondents expect their SOC budget to increase over the next two years, but for most it’s a small uptick.
Of those, almost half expect a SOC budget increase of less than 10% and 2 in 5 expect their budgets to rise between 10-20%, KPMG found. Just 13% expect their budgets to increase by at least 20%.
Only 1% of respondents anticipate their SOC budgets will decrease.
Cybersecurity has risen as a C-suite level priority in recent years, amid a rise in sophisticated and costly cyberattacks as well as growing regulatory pressures, including the Securities and Exchange Commission’s rules that require public companies disclose cybersecurity incidents within four business days of determining if they are material.
“The SEC requirement is forcing a conversation … really forcing the CISO to frame it within the organization as a business risk,” Budnik said, noting that putting a price tag on the value of the security is not easy. “That dollar saved coming out of security is hard to quantify.”
The study’s findings regarding how the security leaders spend SOC money show that the allocations of the SOC budget are spread fairly evenly across different aspects of the center’s activities, with 19% spread on prevention expenses to 16% spent on response and remediation.
While companies have been talking about “shifting left,” Budnik said it was understandable that spending on response remains a focus.
“When those incidents happen, everybody drops their pencils and everyone focuses on that,” Budnik said. “So typically that’s where the budget, I suspect, is being focused because when a breach is occurring everyone needs to focus on that, worrying about prevention at that point is less important.”