Despite cybersecurity budgets in the Asia-Pacific (APAC) rising considerably year over year, data breaches have not dropped off. How much spending is enough? Will it ever be enough? Chief information security officers (CISOs) and information technology (IT) teams must understand today’s trends to determine whether increased spending is key or a waste of money.
How much cybersecurity spending is enough for the APAC region?
Joint research from TechTarget and the Enterprise Strategy Group found that businesses across the APAC region are preparing to increase technology spending in 2025. Around 72 percent of survey respondents plan to raise cybersecurity budgets, while 44 percent intend to spend more on IT. This trend is unsurprising, given how enterprising cybercriminals have been recently.
Cybercrime grows increasingly sophisticated as innovations like artificial intelligence and internet-enabled devices are unveiled. Experts estimate the annual revenue — meaning the losses — from cybercrime already exceeds $8 trillion, demonstrating how successful bad actors are. In light of statistics like these, funding increases make sense.
However, that extra funding doesn’t seem to be helping much. The number of mega data breaches has risen considerably in the APAC region alone. In one survey, around 35 percent of respondents reported the most damaging data breach from 2020 to 2023 cost between $1 million and $20 million, slightly higher than the global rate. Another 5 percent spent over $20 million on recovery.
At what point do business owners decide budget increases lead to diminishing returns? When recovering from a single breach can cost $20 million, what is the point of investing more? These questions may seem pessimistic, but CISOs should seriously consider them. Starting a dialogue among decision-makers is the only way to work toward a solution.
It takes more than a budget increase to improve security posture
Cybercrime is on the rise. An executive’s first instinct may be to throw money at the problem. Even though they don’t understand technical jargon, they know the situation is dire. However, those funds have strings attached — they want results. Inevitably, a data breach will happen.
Both sides will be frustrated with each other immediately. The executive will demand an explanation for the seemingly failed investment, while the information security team will become exasperated by their higher-up’s decisions. Both reactions are reasonable, putting them at an impasse.
No security approach is 100 percent effective because this field constantly evolves. Defense becomes even more challenging as APAC organizations invest more in novel solutions like cloud computing and machine learning. Dedicated cybercriminals will always dream up some new exploit that catches IT teams unprepared during the early days of deployment.
A 2024 survey of the APAC region’s workforce revealed workers’ feelings on the scale and pace of change. Around 68 percent of respondents agreed change has ramped up in the past 12 months compared to the year prior. Most believe too much is happening simultaneously.
Ultimately, improving security posture requires more than a funding increase. APAC businesses should consider cybersecurity less like a money problem and more of an attention problem. Although IT professionals can’t stop all breaches, their diligence pays off.
How business leaders can make the most out of budget increases
Midsize companies outsourcing every aspect of security and enterprise-level departments looking to shore up their defenses will reach a point of diminishing returns, so they must strategically budget. Small businesses, on the other hand, can benefit from marginally increasing their security spending relatively frequently as they grow.
1. Stretch funding with assessments
Regardless of their size and industry, they should work to stretch their funds. Risk assessments, asset cataloging, and threat intelligence technologies will help them identify their paint points and most relevant cyberthreats, enabling them to do more with less.
2. Leverage a human-centric approach
Since the APAC region is not suffering from a workforce shortage like others are, a human-first approach to cybersecurity that emphasizes awareness and monitoring should be feasible for most organizations.
A 2023 report from the International Information System Security Certification Consortium revealed just 31 percent of APAC cybersecurity professionals felt the impact of skill shortages — less than in the Middle East and Africa, Latin America, Europe, and North America.
3. Invest in future-proof technologies
Investing in future-proof solutions is safer than spending money on cutting-edge technologies. While some overlap exists, these are fundamentally two different categories. For example, quantum-proof encryption algorithms are more secure than internet-enabled nodes.
4. Periodically train staff members
Retention rates for corporate training are subpar. Even the most optimistic studies report they forget 50 percent of the learning materials within days after the session. However, educating employees is essential for maintaining a sound security posture. CISOs should employ microtraining techniques or hold sessions periodically.
5. Involve senior business leaders
Professionals should also consider involving board members and executives. If those individuals don’t understand technical jargon, visuals like infographics or charts can help. This approach can help them demonstrate the purpose and effectiveness of funding. Eventually, it may even help them justify another increase.
Avoiding the pitfall of overinvesting in the cybersecurity department
CISOs shouldn’t attempt to justify budget increases with a rotating door of hardware or additional software subscriptions. This approach creates more entry points and unnecessary redundancies, complicating IT’s job and making it easier for bad actors to infiltrate systems. Strategically investing in a handful of practical solutions is much more effective.
Zac Amos is the Features Editor at ReHack, where he covers business tech, HR, and cybersecurity. He is also a regular contributor at AllBusiness, TalentCulture, and VentureBeat. For more of his work, follow him on Twitter or LinkedIn.
TNGlobal INSIDER publishes contributions relevant to entrepreneurship and innovation. You may submit your own original or published contributions subject to editorial discretion.