Make Sure Your Cybersecurity Investments Provide A Return For Your Organization

The Cybersecurity Resource Allocation and Efficacy (CRAE) Index, created by CyberRisk Alliance (CRA) and underwritten by Pulse Secure, recently published its Q3 2020 findings.

The CRAE index is "a quarterly, time-series tracker that measures the overall focus and direction of North American and European organizations' cybersecurity activities, spending, and perceived progress over time." Scores above 50 mean an increase in spending or efficacy and scores below 50 designate a decrease.

The Q3 2020 index showed an increase in resource allocation and spending on information technology security from 66.5 in Q2 to 66.7 in Q3. However, overall efficacy decreased from 75.8 in Q2 to 74.2 in Q3. These findings suggest that increased spending did not necessarily lead to improved cybersecurity.

In North America, spending remained constant, but more resources were allocated to reactive versus proactive measures. European spending, which did increase, focused more on proactive measures, although efficacy dropped there as well.

Specifically, average index readings increased in the areas of "Identifying," "Protecting," and "Recovering."  Many organizations reporting increased spending and resource allocation related to process improvements, system and software upgrades, and employee training.

The index also found that 38 percent of respondents across all regions experienced unauthorized or improper resource, application, or data access. Thirty-nine percent of respondents in North America and 26 of respondents in Europe experienced related data exfiltration or anomalous or malicious traffic. Fifty-two percent of organizations said that phishing attacks or identity and credential theft are their top concern in Q3 2020.

Cybersecurity resource allocation and spending in the healthcare industry increased by 5.8 points in Q3 to 69.6. Protection measures, which include implementing cybersecurity training and awareness programs, developing processes to secure digital and physical assets, and purchasing or implementing cybersecurity technology, saw the greatest increase—8.7 points. As in Q2 2020, healthcare organizations cited budgetary constraints as their primary challenge in addressing growing cyberthreats and exposure from untrained staff and employee carelessness in handling sensitive data.

In the financial services and insurance industries, cybersecurity resource allocation and spending decreased from 68.2 in Q2 2020 to 67.4 in Q3 2020. Efficacy also declined from 77.3 to 74.1, although there was improvement in the area of "Recovery."

The manufacturing sector saw a slight increase in both spending and efficacy, with a more notable increase of 3.8 points in the areas of "Responding" and "Identifying." This means organizations are developing response strategies, policies, and controls to prevent future attacks and improving asset management plans, risk management strategies, and governance programs.

Finally, high tech and business services organizations saw a 3.8-point decrease in spending and a 7.3-point drop in efficacy. "Protecting," which includes cybersecurity training, implementing technology, and securing assets, had the biggest decrease at 12.3 points. "Identity Theft, Cloud App Exposures, At-Risk Devices and Unauthorized Access Concerns Impacting Organizations, According to Pulse Secure and CyberRisk Alliance" (Dec. 15, 2020).


Organizations should expect a return on their investment when they invest in cybersecurity. It is not enough for organizations to spend money—they must do so wisely and achieve value for their investment. In order to make sure money is well spent, it is important to carry out a cybersecurity risk assessment.

A risk assessment will reveal your greatest cyber risks and vulnerabilities. This allows you to spend your time and money addressing your greatest needs, rather than on areas that do not pose much risk for your organization.

Your assessment should include the five areas recommended by the National Institute for Standards and Technology (NIST) Cybersecurity Framework: Identify, protect, detect, respond, and recover.

Considering all areas of cybersecurity—for example, not only how to prevent a cyberattack but also how to respond in order to limit damage if you do fall victim—allows you to create a more comprehensive, and effective, cybersecurity plan.

Finally, your opinion is important to us. Please complete the opinion survey:

Download Video: MP4 WebM