Suggestions

FENG Login

Rethinking Cybersecurity Budgets: What Truly Drives Breach Reduction

Summary

Most cybersecurity budgets are built around the wrong question: “Are we secure?” That question is hard to define and even harder to measure, so it often leads to budgets that become little more than long lists of vendor renewals and compliance-driven line items. A better framing is: “Are we spending on the right things?”

In 2025, Marsh’s Cyber Risk Intelligence Center analyzed thousands of organizations’ cyber control implementations and compared them against breach-related cyber claims. They then ranked 12 cybersecurity controls by how strongly each is associated with reduced breach likelihood. The ranking is not what most companies have organized their budgets around.

Network hardening came in first. Endpoint detection and response, second. Logging and monitoring, third. Multi-factor authentication (MFA), the control your auditors keep asking about, came in sixth.

This article extends that lens into budgeting discipline, vendor risk, and cyber insurance, showing how finance leaders can translate 12 technical controls into measurable risk exposure. It covers two questions every CFO should ask before the next renewal cycle: how to evaluate vendor risk before it shows up on the balance sheet, and how to read a cyber insurance policy so the coverage actually pays out when something goes wrong.

The takeaway: most organizations aren’t underinvesting in cybersecurity. They’re misallocating it.

Multi-factor authentication is the sixth-most-important cybersecurity control.

That’s probably not what your team has been telling you. It’s also not what your auditors, your insurance broker, or your compliance framework have been telling you.

Here’s what happened.

In 2025, Marsh (one of the world’s largest insurance brokerages, formerly Marsh McLennan and consolidated under the Marsh brand in January 2026), published a report through its Cyber Risk Intelligence Center (CRIC) called Cybersecurity Signals: Connecting Controls and Incident Outcomes. They analyzed thousands of organizations’ cyber control implementations and compared them against breach-related cyber claims, then ranked 12 cybersecurity controls by signal strength: how much each one is associated with reduced breach likelihood, based on claims data, not vendor marketing.

The ranking is not what most cybersecurity budgets are organized around.

Network hardening came in first. Endpoint detection and response (EDR), second. Logging and monitoring, third. MFA, sixth.

That kind of finding should change a budget conversation. Not because MFA doesn’t matter. It does. But the ranking exposes a question most cybersecurity budgets have never really asked.

A note on disclosure: I’m not affiliated with Marsh in any way. I simply reference their published data because it’s one of the most useful analyses available to finance leaders today.

The 1-to-5 rubric and 0-to-100 risk bands below come from my consulting framework (Core CR-MAP™). The value is in the structure, and it can be applied independently or with any advisor.

One important caveat: this is not an ROI ranking. A control’s signal strength doesn’t reflect its cost, your current maturity, your regulatory duty, or the size of loss it may prevent. Use the ranking to focus the budget conversation, not to replace judgment.

The question most cybersecurity budgets weren’t built to answer

Most cybersecurity spending is organized around “are we secure?” That’s the wrong question. It can’t be answered cleanly. It produces budgets that are long lists of vendor renewals plus whatever the latest compliance framework demanded.

The better question is “are we spending on the right things?” That one can be answered. You start with the controls that correlate most strongly with reduced breach likelihood, then you grade your investments against them.

This is the shift Marsh’s data makes possible. They have one of the largest cyber claims datasets in the industry, and they used it to identify which controls matter and how much. Each control gets a signal strength score, calculated by comparing breach probability with and without the control in place. The bigger the gap, the higher the signal.

Here are the 12 controls, ranked by what the data says correlates with fewer breaches:

  1. Network Hardening (12.0% weight). Configurations enforced automatically through network management tools, not just documented as policy.
  2. Endpoint Detection and Response (EDR) (11.7%). Coverage breadth plus active monitoring. Marsh found that each additional 25% of workstations covered correlates with about a 10% decrease in breach likelihood.
  3. Logging, Monitoring, and Network Protections (9.5%). A central security log system (the platform that collects alerts from across your network and flags suspicious activity) that’s actively tuned, with people watching the alerts and responding.
  4. Cybersecurity Awareness Training and Phishing Testing (9.5%). Updated content on current attack techniques, with realistic simulations.
  5. Cyber Incident Response Planning and Testing (9.0%). A documented plan that has actually been tested. A plan you wrote two years ago and never opened doesn’t count.
  6. MFA for Remote and Privileged Access (8.7%). Phishing-resistant methods covering admin and privileged accounts, not just email.
  7. Email Filtering and Web Security (7.5%). Configurations that block spoofed senders, malicious links, and unsafe attachments before they reach anyone’s inbox.
  8. Patch Management and Vulnerability Management (7.3%). Automated patching with annual penetration testing by an outside firm.
  9. End-of-Life Systems Replaced or Protected (6.7%). Either retired or contained with compensating controls.
  10. Privileged Access Management (PAM) (6.7%). Special accounts (the ones that can change settings or install software across your environment) restricted to IT staff. Service accounts inventoried.
  11. Secured, Encrypted, and Tested Backups (6.0%). All three together. A backup that has never been successfully restored doesn’t qualify. Restoring a few files now and then is not enough.
  12. Vendor and Digital Supply Chain Risk Management (5.4%). Vendors tiered by risk and assessed accordingly.

For 15 years, most cybersecurity guidance has come from compliance frameworks. Standards like NIST 800-53, PCI, HIPAA, and CMMC give you long lists of controls. They don’t tell you which ones move the needle. The result is a checkbox culture that treats every control as roughly equal weight.

Marsh’s data says that’s not how breaches actually work.

Marsh’s data ranks the 12 controls by signal strength, but it doesn’t grade individual companies. To turn the data into a usable assessment, Cyber Risk Opportunities (CRO) built a five-point rubric for each control.

  • A 1 means Critical Gap (the control is absent or exists in name only).
  • A 2 means Significant Gap (limited form, with major coverage gaps or no testing).
  • A 3 means Partial (implemented but falling short of best practice).
  • A 4 means Strong (well-implemented with only minor gaps).
  • A 5 means Exemplary (fully deployed, tested, and continuously improved).

A 3 is the minimum acceptable threshold for operational resilience. The 12 scores are weighted by Marsh’s signal strengths and combined into a single number from 0 to 100, which maps to one of five risk profiles: Optimized (85-100), Well-Controlled (70-84), Developing (55-69), Elevated Exposure (40-54), and High Exposure (0-39). The graphic below shows the bands.

To be clear on ownership: the breach data and the control rankings are Marsh’s. The 1-to-5 rubric and the 0-to-100 risk bands are CRO’s professional judgment, applied on top of the data.

What MFA at six actually means for your budget

Most CFOs have been told MFA is the most important control. That came from a real place. A decade ago, MFA adoption was low. Companies that had it were dramatically less likely to be breached.

But MFA adoption is now above 80% in most organizations. The mere presence of MFA is no longer a meaningful differentiator. Everybody has it.

What matters now is whether your MFA covers the right accounts and whether it’s phishing resistant.

The right accounts mean admin and privileged, not just email. An attacker who phishes a sales rep’s password gets some access. An attacker who phishes a domain admin’s password gets the whole company. If your privileged accounts are protected by the same MFA your sales reps use, the attacker barely notices the speed bump.

Phishing-resistant MFA means hardware security keys (small USB devices) or passkeys, both built on the FIDO2 standard.

SMS codes can be intercepted. One-time codes from an authenticator app can also be phished: the attacker stands up a fake login page that captures the code and types it into the real site within the 30 seconds before it expires. Hardware keys defeat that. They only work with the legitimate website that issued them and refuse to authenticate to a fake one.

According to Marsh’s data, phishing-resistant MFA correlates with about 9% lower breach likelihood than non-phishing-resistant methods.

If your team says, “we have MFA,” the next question is where it’s actually deployed: does it cover admin accounts, and is any of it phishing-resistant?

Without those answers, MFA is not a 5. It’s more like a 2 or 3 on the rubric. That distinction is exactly what drives better budget conversations.

The same logic applies across all 12 controls. Backups that have never been restored are a 2, not a 5. An untested incident response plan is a 2. Security logs that generate alerts no one reviews are a 2.

This isn’t about being harsh. It’s about being precise. Accurate scoring is how you identify where security spend isn’t actually delivering value.

Vendor risk: how to evaluate it before it shows up on the balance sheet

Vendor risk shows up on the balance sheet two ways. First, when a vendor’s breach causes you to lose revenue (a logistics partner goes dark for three weeks, and your products sit in warehouses). Second, when a vendor’s breach drags you into the regulatory or legal fallout (a payroll provider exposes employee data, and you inherit the notification costs).

The question is not “Do my vendors have good security?” That’s a self-attestation game. Most vendors will fill out a questionnaire and say yes.

The questions that actually matter:

  1. Which vendors have access to data or systems that could materially hurt us?
  2. What is each of those vendors contractually required to do about security and breach notification?
  3. How would we know if one of them was breached?

If you can’t get a quick answer to those three questions from your IT and procurement leaders, you have a vendor risk gap. That’s true even if your vendor risk program looks good on paper.

The framework grades vendor risk separately as one of the 12 controls. It’s the lowest weight of the 12 (5.4%), but it’s also one of the most common Critical Gaps on first assessment.

Why give it this much attention if it carries the lowest weight? Two reasons. First, the lowest weight is still real weight, and a Critical Gap is still a Critical Gap. Second, this is the one control where the CFO has the strongest direct levers. Procurement contracts, vendor selection, breach-notification clauses, right-to-audit language: those sit closer to finance than the other 11 controls do. Cybersecurity owns the technical evaluation. Finance and legal own the contract.

The fix isn’t buying a third-party risk platform. It’s tiering vendors by impact and assessing the top tier on the things that actually create exposure: data access, system access, breach notification, and right-to-audit.

That’s a 30-day lift, not a 12-month transformation. The CFO is the right person to ask procurement and IT to do it.

Cyber insurance: how to read the policy so coverage actually pays out

Most CFOs read the cyber insurance policy when it arrives, and again when there’s a claim. The gap between those two reads is where coverage gets lost.

Three things to verify before you renew.

Sublimits. The headline limit is rarely the limit that matters. Ransomware, business email compromise, and social engineering often have sublimits that are 10% to 25% of the headline. Check those before you assume you have $5 million in coverage. A $5 million policy with a $500,000 ransomware sublimit is a $500,000 ransomware policy.

War, terrorism, and infrastructure exclusions. Carriers have been broadening war exclusions since the Merck/NotPetya case. Merck spent years arguing that a state-affiliated cyber incident wasn’t excluded under their property policy’s war exclusion; they won at trial in 2022 and on appeal in 2023. Lloyd’s of London issued exclusion language (LMA5564, a standardized war-exclusion clause) and required underwriters to apply state-backed cyber attack exclusions to standalone cyber policies starting March 2023. Most other carriers have followed with similar rewrites. If your policy was renewed since 2023, the war-exclusion language has likely changed. Ask your broker to walk you through it line by line.

Pre-conditions of coverage. Several carriers now require specific controls (MFA on all privileged accounts, EDR coverage, tested backups) as conditions of coverage. The application asks whether you have them. You sign attesting that you do. If those controls degrade between renewals and you have a claim, the carrier can pull the application and use the gap to dispute or deny coverage.

This is where a structured control review becomes useful. It gives you a way to verify, on a defined cadence, that what you told the carrier matches what’s actually true. Doing that verification before the claim, not after, is one of the highest-leverage things a CFO can do.

What this means for your next budget cycle

Stop asking “are we secure?” Start asking “are we spending on the right things?” Then make sure the people answering have a defensible framework behind their answer.

Three actions for the next 90 days.

  1. Get a claims-data-informed grading of your current cybersecurity controls. Not a compliance audit. A grade against the 12 controls the claims data says correlate with reduced breach likelihood. The output should be a single number from 0 to 100, plus a priority list of where the next dollar is best spent. Plan for a few hours of leadership time, not a multi-month project.
  2. Check your top three vendors against the three vendor questions above. If your team can’t answer quickly, those are the answers to start gathering this quarter. Tier the rest by impact and work through them on a defined cadence.
  3. Walk through your cyber insurance policy with the framework in hand. Map the 12 controls against the carrier’s pre-conditions and exclusions. Anywhere the two diverge is a gap that pays out as a denial, not a claim.

These aren’t technical asks. They’re budget hygiene. The CFO is the right person to lead them.

The next decade of cybersecurity spending will reward companies that ask the better question. The data is there. The framework is there. The discipline is what you bring.

Tags

Related Posts

Kip Boyle

Kip Boyle

Kip Boyle is the founder and CEO of Cyber Risk Opportunities LLC, where he serves as fractional CISO to finance chiefs at upper mid-market companies. He created Core CR-MAP™, a board-ready cybersecurity assessment built on Marsh’s claims data. He is the author of Fire Doesn’t Innovate (2nd edition), and the forthcoming Gears Don’t Guess: The Executive’s Practical Guide to Thriving in the Face of AI Hype and Risk. Former US Air Force officer, corporate CISO, and Senior Consultant at SRI International (formerly Stanford Research Institute), where his customers included the Federal Reserve Bank, Boeing, Visa, and Mitsubishi.

Leave a Reply

Your email address will not be published.

Cents of Humor

Bare Bones

Latest articles