Security was once mysterious, but everyone is far more aware and connected today than they used to be\u2014and that translates into a greater level of understanding and acceptance. With good reason, security breaches or failure to comply with regulations can result in a big hit to the brand, making board members and senior-level managers take notice. And it can all fall on the CIO.\nThis increased awareness is the beginning of a solid cybersecurity budget. In the CIO Survey, 82 percent of respondents cited cybersecurity as a high or critical concern for the next 12 months, the highest percentage across all surveyed categories.\nHowever, as organizations invest in cybersecurity, budgets need to be strategic. Simply throwing money at cybersecurity can put an organization in a bad position. And the more IT spends now, the more the organization needs to spend later on upkeep. Investments require support, and lots of it. More importantly, technology itself doesn\u2019t solve anything\u2014even when people use it as a proxy for results. Likewise, woeful underspending on security is dangerous.\nBottom line: It\u2019s time to take stock and develop a threat-focused, risk-based approach to your security strategy.\nIn building a risk-based strategy, organizations need to focus on three primary components\u2014assets, vulnerabilities and threats\u2014rather than simply looking for holes. For example, if the business doesn\u2019t have any credit-card payments, why research POS system vulnerabilities? It\u2019s counterintuitive to protect an area that does not apply to organizational operations. The key to success is to take the time to understand the real threats, where they are coming from and potentially what they look like.\nFurthermore, any modern cyberstrategy needs to complement the go-to-market strategy for the company. There should be a direct tie-in, including accommodation for any compliance standards.\nOne of the more challenging aspects of budgeting for cybersecurity is demonstrating the return on investment. It\u2019s difficult, if not impossible, to accurately depict the ROI from stemming hypothetical attacks. However, it\u2019s still possible to show value with links to positive results by, for instance, tying the investment to the ability to accelerate the organization\u2019s move to mobile or improved time to market for a new offering.\nAs security professionals, we need to embrace these new metrics to show value\u2014not just for brand protection but also for new opportunities.