Security leaders don't control budgets, even with mounting threats

Cyberattacks may be in the news right now, but security leaders aren't always in control of response and remediation. They're at the whim of budgets and have to navigate how much influence they have to implement change to protect their organizations.

Less than a quarter of cybersecurity leaders have complete ownership over their budgets; 15% said they have no influence at all, according to a recent survey of 1,426 cybersecurity leaders from LogRhythm and the Ponemon Institute.

"If your security leader is tucked under the CIO or CTO, they're not directly reporting to the CEO," said Matt Sanders, director of security for LogRhythm. "They're not fully in charge of their budget because their budget is a smaller part of someone else."

By pulling security out from under the wings of another department and giving security an independent budget and the authority to implement companywide changes, organizations can start to meet the challenge of protecting against ever-rising security threats. That is, if they see the writing on the wall and realize the full potential of what security can do as part of business development rather than treating it solely as an expense.

Security leaders don't control their destinies

Control over security budgets resides somewhere outside of cybersecurity leadership, according to the LogRhythm and Ponemon report.

In a separate study, Forrester found about 65% of enterprises with over 1,000 employees put the security leader under a CIO or other senior IT leader. "Even if you're in that 35% bracket, you're still often relative to IT when you're thought about when it comes to budget," said Jeff Pollard, VP and principal analyst at Forrester.

Katie Malone/CIO Dive, data from LogRhythm and the Ponemon Institute

Security leaders without control of their budgets is a natural outgrowth of security leaders falling outside the C-suite level. The LogRhythm and Ponemon survey found that 93% of respondents don't directly report to the CEO.

Security spending is lumped in as "part of the larger IT budget," Sanders said. "If your security leader's tucked away under IT or under the CTO or legal or whoever else they may report to, they're not directly reporting to the CEO. They're not fully in charge."

A pinch point in cybersecurity

CEOs and board members are seeing security hacks as a reputational problem that can cost more than what's spent to fix the problem.

No one wants to be the next headline, said Sanders. "There's a gradual change, but maybe not as fast as we like."

In the last month, Sanders said he's talked to "a double-digit number of organizations" about how to present ransomware preparedness to their boards. "It's not something the CIOs and security leaders are pitching to the board. It's something the board is coming to them about."

Heightened awareness, and demands on the security team don't always come with the appropriate budget, though. Sixty-three percent of security leaders feel their budget is insufficient to invest in the right technologies, according to the LogRhythm and Ponemon Institute report.

Hiring more people can also be a challenge. Even if security leaders are given a budget to hire help, finding the right people with cybersecurity skills is difficult in a tight labor market.

Security leaders are also worried about losing their jobs, too, in the wake of a cyber incident. Fifty-four percent of respondents to the LogRhythm and Ponemon Institute survey said that they're worried about their job security.

An opportunity for change

Despite the concerns, there's an opportunity for change in terms of budget and control. The heightened awareness about security threats, plus business leaders seeing how damaging a breach can be, could be an opportunity to bring security out from under other departments and be seen as worthy of a C-suite level role.

"It's a tremendous opportunity but it's going to take capitalizing on the opportunity and doing it right," said Sanders.

Security leaders should push for security to be treated more like the legal, finance, human resources and marketing departments: a C-level role that can implement policy across an organization, said Sanders.

One rule, for example, would be that family members can't use an employee's laptop. "Those are the type of people policies that security needs to enforce," Sanders said. A C-level security leader can also set a mandatory policy that teams have regular security scanning in place, and a plan of action if they find a vulnerability.

If security is not given this authority, policies they want to enforce won't have any weight, Sanders added. "If security is tucked under the IT function and they're trying to push a change to the HR department or the engineering department, they have to go up two levels of management and then come back down."

Security as a business function, not a cost center

Security leaders can also work with other departments (or by directive of the CEO or board) so that they're thought of first and not last, especially when it comes to business development.

Otherwise, security becomes the bad guy, or the breaks that hold up a launch, said Dmitry Kurbatov, CTO of Positive Technologies. It's a cost center and "treated as an obstacle for business and IT while it should be a major support function," he said.

To do that, security must make sure the CEO or board knows how important security is, even if it means leveraging an attack to prove their point.

It can be an opportunity to show that security is "a critical business asset and critical business process," Kurbatov said, which can work toward changing the role of security leaders, and get them budgets that both match their needs and have more control over.