Steering Clear of Disruption: Strategic Cybersecurity Budgeting for Transit Agencies
By the APTA Transit Cybersecurity Working Group | 11/3/2025
A New Reality for Transit Security
A staggering 186 percent year-over-year increase in ransomware attacks has made cybersecurity a frontline crisis for the transit industry. According to research from Check Point, the transportation agencies that keep communities connected are prime targets for cybercriminals. The consequences are not merely technical. They are also public and operational, delaying trains, disabling fare gates, and compromising passenger safety. This escalating threat leaves executives facing a difficult question: Are we spending enough and are we directing those funds wisely? Answering this requires moving beyond traditional budgeting and adopting a strategic, data-driven approach that links every dollar to measurable resilience outcomes.
The Problem with Traditional Budgeting
Too often, cybersecurity budgets are shaped by last year’s numbers instead of this year’s risks. This incremental approach cannot keep pace with evolving adversary tactics, new technologies, or the growing convergence of IT and OT systems. Benchmarking offers a more strategic alternative. It provides a data-backed reference point to determine whether investments align with both program maturity and operational complexity.
The NIST CSF and the Maturity Lens
To benchmark effectively, agencies need a shared language for progress. The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) provides that foundation. Rather than a rigid rulebook, CSF organizes activities into six core functions:
Govern: Establish strategy, roles, and accountability to align cybersecurity policies and investments with mission objectives.
Identify: Build an inventory of IT and OT assets—from fare systems to rail signals—to understand what must be protected.
Protect: Implement safeguards such as access control, network segmentation, and staff training. In OT environments, this includes isolating control systems and protecting legacy assets with compensating controls.
Detect: Use monitoring tools and escalation thresholds to identify anomalies and threats quickly.
Respond: Develop and rehearse playbooks defining how operations, communications, and leadership contain incidents.
Recover: Create and test continuity plans to restore systems efficiently and maintain public trust.
When paired with a maturity model, these functions allow agencies to measure implementation effectiveness. Level 1 (Initial): Processes are ad hoc and reactive. Level 3 (Defined): Procedures are formalized and documented. Level 5 (Optimized): Predictive analytics and continuous improvement preempt emerging threats.
Linking Ratios, Risk, and Maturity
Executives can benchmark the agency’s spending using the cyber-to-tech spend ratio. This method compares cybersecurity investment to total technology spending across IT and OT systems. Tracking this ratio across time and peer agencies gives immediate perspective. Higher ratios tend to correspond with higher maturity, faster recovery, and lower risk. Lower ratios often indicate reactive processes and greater exposure.
A Quick Assessment Tool
A simple assessment can reveal risk posture in real time. For instance, an agency spending under five percent of its technology budget and operating at low maturity faces a very high likelihood of disruption. While useful as a snapshot, true value lies in tracking year-over-year progress. During reviews, compare the agency’s current ratio and maturity level to benchmarks. If spending falls below target, highlight the gap as a priority for action.
From Benchmark to Defensible Roadmap
Turning insight into action begins with defining a target maturity level and its corresponding investment ratio. Then, break spending into categories of people, process, and technology. If assessments reveal weak detection capabilities, the next budget cycle should prioritize Endpoint Detection and Response (EDR) tools, threat-hunting training, and 24/7 SOC coverage. Tying each expenditure directly to a CSF function ensures that every investment supports a specific resilience objective.
A Framework for Continuous Improvement
Effective cybersecurity budgeting is agile, iterative, and measurable. Grounding the process in the NIST CSF supports a continuous Plan–Do–Check–Act cycle: Plan–Set a target CSF maturity level. Do–Implement required controls. Check–Assess current maturity and results. Act–Reallocate resources to close performance gaps. This structure transforms cybersecurity budgeting from a static cost center into a dynamic mechanism for risk reduction and resilience building.
The Bottom Line
Cybersecurity budgeting should never rely on guesswork. Benchmarking transforms subjective decisions into a governance discipline, enabling transit leaders to invest with confidence, demonstrate measurable risk reduction, and strengthen operational reliability and public trust. By tying investment to data and maturity, agencies can ensure safer systems, resilient service delivery, and communities that remain connected and on the move.
NIST CSF Maturity Level Benchmarks
| NIST CSF Maturity Level | Risk Level | Cyber/Tech Spend |
| Level 1: Initial | Very High | <5% |
| Level 2: Repeatable | High | 5–8% |
| Level 3: Defined | Moderate | 8–12% |
| Level 4: Managed | Low | 12–15% |
The APTA Transit Cybersecurity Working Group (TCSWG) writes control and communications systems, standards, and recommended practices for APTA members.