Bosses Are Reluctant to Spend Money on Cybersecurity

By Tom Morrison posted 12-16-2021 11:11 AM


Many businesses still aren't willing to spend money on cybersecurity because they view it as an additional cost – and then find they have to spend much more cash recovering from a cyber incident after they get hacked. 

Cyberattacks like ransomware, business email compromise (BEC) scams, and data breaches are some of the key issues businesses are facing today, but despite the number of high-profile incidents and their expensive fallout, many boardrooms are still reluctant to free up budget to invest in the cybersecurity measures necessary to avoid becoming the next victim.

The cost of falling victim to a major cyber incident like a ransomware attack can be many times more than the cost of investing in the people and procedures that can stop incidents in the first place – something many organizations only fully realize after it's too late.

"Organizations don't like spending money on preventative stuff. They don't want to overspend, so a lot of organizations will sort of be penny-wise and pound-foolish kind of places where they wait for the event to happen, and then they have the big expense of cleaning it up," Chris Wysopal, co-founder and CTO of cybersecurity company Veracode, told ZDNet Security Update. 

It's then that they realize that they could have spent less if they had prevented the attack, he said: "A lot of organizations are going through that right now". 

For example, an organization might end up paying millions of dollars to ransomware criminals for the decryption key for an encrypted network – then there's the additional costs associated with investigating, remediating, and restoring the IT infrastructure of the whole business after the incident. 

"Just the ransoms that organizations are paying, if they don't have cyber insurance, could certainly pay for a lot of cybersecurity professionals. And cyber-insurance rates are going up, so it's getting more expensive across the board for organizations because of the threat," said Wysopal. 

Even for organizations that do have a fully-fledged cybersecurity strategy, training, hiring, and retaining staff can still pose a challenge because of the high demand for employees with the required skills. 

The supply and demand issue isn't going to be solved overnight and, while Wysopal believes long-term investment in cybersecurity is vital, there are additional measures that can be taken to help get more people with cybersecurity skills into the workforce to help protect organizations from attacks. 

"One thing I would like to see is cybersecurity become part of every IT or computer science students' training, so that they have some understanding of cybersecurity as a professional, whether it's building and managing systems in an IT environment or building software," he explained. 

If IT or development staff have at least some understanding of cybersecurity, that can help organizations, particularly smaller ones, that might not have a big budget. 

"I'm really pushing for that to be part of the curriculum and I've been working with a few colleges to make that part of the computer science curriculum," Wysopal said.


Written by:  Denny Palmer, Senior Editor, ZDNet.