You are here
Information Security Costs: Budgeting for Cybersecurity
Are you spending time establishing or improving your cybersecurity strategy?
Why Should I Spend on Cybersecurity?
A good cybersecurity budget is built on outcomes. Most organizations should be able to say with a straight face:
- “We understand most of our current risks and we’re managing them within a budget”
- “We’re reasonably prepared for a breach”
- “We’re spending in the right areas of cybersecurity”
If you can’t make these statements without a grin (or grimace), you’re not alone. Read on to understand how to make 2018 the year that these statements come true.
How Should We Spend on Cybersecurity?
Risks are usually addressed in one of three ways. We never recommend putting all your eggs into a single basket. The balance will be different between these areas, but the cost of addressing the risk is generally the lion’s share of spending (north of 80% in most cases).
Transferring risk to a third party is an important part of the equation; cybersecurity insurance has come a long way in the last five years. The costs of a breach can be very high (the average consolidated total cost is $3.62 million), and quantifying/capping that spend should be a key part of your strategy. Hint: As a part of the insurance application process, you’ll be asked to attest to your readiness. If you stretch the truth, it can be difficult to collect from the provider once disaster strikes. An assessment will allow you to make informed statements about your cybersecurity maturity when filling out the application.
Accepting risk as an inherent part of operations is the second piece of the puzzle. If you’re an online retailer, you’ve likely made investments in cybersecurity, but you’ll never be able to completely eliminate risk; you have to accept some of it. Every organization has budgetary limitations, and no one can afford to eliminate risk entirely.
Addressing risk – what the remainder of this blog addresses – will be the largest part of your information security costs (as we mention above).
How Much Should We Spend on Cybersecurity?
Not surprisingly, the short answer is: “More than we used to.” Cybersecurity threats continue to grow, breach costs and frequency increase, and many organizations are addressing security head on. Cybersecurity spending is expected to exceed $1 trillion in the next five years.
Gartner reports that its clients spend between 4% and 7% of the total IT budget on cybersecurity. Booz Allen Hamilton advises that security spending fall between 5% and 8% of the IT budget. Chief Security Officer (CSO) magazine reports that its subscribers dedicate 7.2% of their total IT budgets to cybersecurity.
All of these reports caution, however, that their numbers are probably low; cybersecurity spending may not always land within the IT budget. Because it affects so many areas, compliance, training, and assessment, spending may not fall within that department’s spend.
Cybersecurity and Business Strategy
Much like IT, cybersecurity spending is often affected by how it’s presented. If the cost justification is mired in technical terms, industry jargon, and apocalyptic warnings, spending is often ignored and considered alarmist or unnecessarily complicated.
Cybersecurity should not be viewed as an “IT thing,” but as part of the organization’s overall business strategy (and aligned with company goals). An organization that grows through M&A has an inherently different set of cybersecurity challenges than one that expands organically. These differences should inform the approach, the spending, and the relative priority given to cybersecurity.
Where Should I Spend?
The basic building blocks that make up an effective cybersecurity strategy should be reflected in the budgeting process. They apply to organizations large and small; all are achievable, regardless of your budget:
A breach is likely to happen, and preparedness is key to reducing financial impacts. Finding the phone number for a good cybersecurity firm is best done ahead of time rather than after the fact. Pre-incident planning – having even basic discussions about “what-if” scenarios with the management team and departmental leaders – can make the difference between an afternoon of problems and months of response.
Finding out where you stand is an important step toward improvement. Many IT teams are excellent at securing their domains, but they’re often overwhelmed and miss other things as a result. A third-party assessment of cybersecurity threats can reveal issues that were assumed to be solved, and may turn up new threats based on current exploits.
Bringing employees to your organization’s defense may be the most critical step in this equation. For example, 78% of people claim to be aware of the risks associated with unknown links in emails, yet they click on them anyway. No matter what you spend on IT systems or preparation, people will almost always be the weakest link (and the most easily exploited). This is particularly true in the Midwest, where “Iowa Nice” can result in a hacker simply bypassing a million-dollar security system. An ongoing educational approach that keeps employees informed and thinking about cybersecurity can make a major difference in your success.
It’s estimated that most hackers are inside a network for more than three months before they’re detected. In the past, anti-virus was the solution, but there are more modern tools now available to detect threats early and find weaknesses inside the network. Setting a percentage of your budget aside for visibility into the network is an excellent long-term investment. It reduces the likelihood of a breach and decreases the severity and costs associated with a breach when it happens.
By having conversations early and often about information security costs and cybersecurity spending, and setting aside a budget that acts as a guide for managing risk, you’re one step closer to being prepared when (not if) an attacker strikes.
Co-Written by Aaron Warner and Tyler Wyngarden
Published in 2018 State of Small Business and Entrepreneurship by America's SBDC Iowa