Businesses are increasingly aware that security technology is only as valuable to their goals as the people who use it. While research increasingly touts the potential of AI-driven cybersecurity to boost digital defences, new research shows that almost half of firms spending more on cybersecurity in the coming year will do so to strengthen their human resources.
A recent paper by IBM considered the cost of data breaches. In the end, it estimated an increasing cost for organisations that suffer a data breach, with an average of $4.45 million – but that rose as high as $10.93 million in certain high-impact sectors like healthcare. According to the same study, the use of AI and automation solutions have had a real impact for organisations that use such solutions extensively within their defences. On average those organisations with such solutions in place were able to identify and contain a breach 108-days shorter than those without. These companies also reported a $1.76 million lower data breach cost compared to organisations that didn’t have such capabilities.
However, like any other form of digital transformation from the last decade, there is a risk of underestimating the changes needed to get the best results from AI technology. It is still easy to view AI as a silver-bullet, which will simply render improved results on its own when it comes to shutting out cyber-criminals – but the reality is that the best implementations of the technology are as much about human employees as the tools they use.
To that end, a new study from global cybersecurity consultancy S-RM has found that while the average 97% of firms are planning to increase the use of AI tools across the firm – with boosts to cybersecurity including real-time threat detection, and automated risk and compliance – but only 53% are confident that they can secure those tools. With the introduction of new tools comes new opportunities for criminals – especially if the tools are not implemented properly.
This has seen a noted change in the way which companies view their investments in the latest digital tools. S-RM polled 600 c-suite and IT budget holders from organisations in the UK and US with a revenue over $500 million. When asked by S-RM whether they felt technology provided ‘high value for money’, around three-in-five respondents in the hype-driven 2021 and 2022 financial years agreed that it did. In 2023, however, that has fallen to less than half.
Looking deeper at the responses, some areas of technology investment were even less seen as inherently ‘high value for money’. While cybersecurity technologies were described that way by 49% of respondents, that sank to 42% for risk assessments, and 40% for third-party risk management. According to the researchers, this dip in technology’s perceived value likely reflects a growing awareness that investing in cybersecurity, technology also means investing in the governance and personnel to effectively enable and manage it. Supporting this point, S-RM also found that it seems to be a driver of rising investment in the coming year.
Cybersecurity budgets grew by 3.1% in 2023, but firms predict an 8% rise in the coming year. When asked what was behind this, around four-in-ten said that they were either aiming to upskill their teams, training them to better deploy new technology, or that they were looking to hire more skilled personnel to do that same. Both those responses were around 10% less popular last year, showing a marked shift in the assumptions around the effectiveness of new cybersecurity technology on its own.
Even so, the decisionmakers determining budget still seem out of step with their staff, suggesting they may not be shifting quickly enough. Only 43% of IT professionals – those deploying technology – cited it as a ‘high value for money’ investment area, compared to 56% of C-Suite business. The difference perhaps reflects a misalignment of expectations between the operators of cyber technologies, and those a step removed from their day-today applications.
Jamie Smith, head of cybersecurity at S-RM, commented, “It’s reassuring that cyber security budgets are still rising in these challenging times, but this level of increase is simply not enough to tackle the growing cyber threat. Navigating ongoing skill shortages and investing in training and development of teams comes at a cost, but cyber professionals are not receiving the budget they need to deliver on these critical initiatives. Organisations will have to continue being cautious with cyber security spend, identifying those ‘value for money’ areas that will enable them to manage emerging cyber threats with tightened purse strings.”