Cyber budgeting is a crucial component of financial planning for companies in all industries. In fact, most companies don’t even consider a cyber security budget. Businesses usually consider cyber as an “IT” investment. Monies spent on cyber security and IT are two separate bucket’s.
According to research from IANS + ArticoSearch, the percentage of the overall IT budget dedicated to cybersecurity is gradually increasing.
Additionally from the research, we can see the average cybersecurity spending by industry—which aligns with what we see across our customer base.
However, it is important to remember that like all things in the security world, there is no one-size-fits-all solution. Without a risk-based approach to a cybersecurity budget, companies may allocate budget incorrectly—on both sides of the scale.
While you certainly need to spend enough not to leave your business vulnerable, it’s just as important to avoid purchasing a $1,000 safe to protect a $100 bill. So how does a business ensure they’re correctly allocating cybersecurity budget?
To combat some of the confusion and help businesses craft a well-tailored cybersecurity budget, we compiled a list of critical considerations to guide you. While the needs of every company will vary, this list is intended to provide you with a solid framework that you can work from.
1. Know What You Have
Taking an inventory of your network is one of the best places to start when looking to build a cybersecurity budget. It’s challenging to defend assets (physical, virtual, SaaS, sensitive data, etc.) that the security program does not know about. That makes understanding the scope of what your company has—and what you as a security practitioner are responsible for protecting—critical.
Prioritize projects that make use of both staff knowledge and effective tools that provide visibility into where data is flowing. This visibility will have a positive effect throughout the organization by increasing awareness and collaboration, which will increase security. This may also help to reduce costs by identifying duplicate solutions that can be consolidated. This also reduces the likelihood of unbudgeted surprises as well.
Lesson: You can’t secure what you don’t know you have, and organizations can’t effectively manage what they are unable to measure.
2. Determine Your Acceptable Level of Risk
Speaking of measuring, be sure to conduct risk assessments on a documented schedule so that you are aware of your company’s level of risk. That schedule could be driven by regulatory or contractual requirements, so you need to be aware of any you need to comply with and ensure you are meeting those requirements. If you don’t have requirements to adhere to, the best practice is to conduct an assessment at least annually so that you are always aware of where your security program stands (and the progress you have made as well).
An efficient assessment always includes a roadmap to schedule remediating deficiencies that were detected in the assessment. These items can be assigned to anyone within your team (IT, administration, etc.). Showing improvement over time because of your security investments is a great way to help justify your cybersecurity budget, and having a regular assessment cadence will limit the number of surprises when it comes to both cost and risks.
Also Consider: vCISO Services
While vCISO services are commonly used to supplement security expertise in the organization, they can also be a great tool to qualitatively demonstrate progress and help your organization remain on track throughout the year. Consider investing in a virtual CISO to help keep your objectives and cybersecurity budget on pace from beginning to end.
3. Staff Awareness Training
Investing in staff security knowledge beyond standard security awareness training is crucial to gaining support and legitimization from departments outside of IT. Ensure specific roles receive focused security education tailored to their level of risk and responsibility.
Awareness training also reduces your organization’s risk of a serious cyber incident. In theory, this could help avoid leaning on insurance companies or outside consultancies to recover from incidents, and instead focus its budget on improving security posture. Keeping your staff educated and formalizing the processes and procedures that require advanced skills are important considerations for any cybersecurity budget.
4. Incident Response Preperation
But even with excellent user and awareness training, don’t forget to make room for incident response preparation in your cybersecurity budget! The worst time to plan for an incident is during one.
Ensure that insurance policies provide the expected coverage and support necessary based on the level of risk outlined by your latest risk assessments and risk management program.
Incident response typically evokes thoughts of major data breaches, but organizations should also consider the resources they have to handle less serious incidents. Monthly incident response retainers can provide valuable support, and incident response teams are in high demand.
Certain providers’ incident response hours expire after one year, however, there are some programs that provide the option to convert unused hours into other services. This way, the organization still receives value for the expense even if an incident never takes place.
This is an excellent way to justify the cost of incident response services in your cybersecurity budget.
Don’t Forget: Incident Response Plan Development
Budgeting for incident response and dealing with events is only as strong as your Incident Response Plan. Even smaller organizations can benefit form a thorough and efficient IRP.
5. Implementing Zero-Trust Architecture
Zero trust, as a policy, is another one of those critical items that should be a top factor in your cybersecurity budget. Implementing a zero-trust architecture (e.g., NIST SP 800-207) with an exceptional user experience both decreases the likelihood of an incident and increases the confidence and ability to improve an organization’s overall security posture. This is especially important for business models that have implemented an ongoing work-from-home infrastructure and those that are using cloud service providers as well.
You will need to evaluate your current controls and potential for needing additional solutions, such as phish-resistant MFA or improvements to your logging and alerting solution. And don’t forget to account for the time and possible need for new hardware to implement proper network segmentation.
Almost all companies can benefit from a zero-trust protocol, but it will be especially impactful for those who need high levels of agility and flexibility on top of remaining secure and compliant.
6. Adopt a Framework, and Follow it
Something like the NIST CSF 2.0 framework will provide the structure needed to implement a good cybersecurity program—while also allowing you to show the business why items in your cybersecurity budget plan are so critical.
It’s much easier to justify and map out a budget if you’re following an established, vetted, and proven framework.
Again, if you are in a regulated industry you will need to be aware of those nuanced requirements, but the same concept of mapping items in the budget to the controls of the framework applies regardless of the requirements you adhere to.
7. Expect the Unexpected
Despite everyone’s best efforts the unexpected can, and typically will, occur. You may opt to build a “rainy day” fund into your budget to help account for these wildcards.
Understanding the organization’s risk profile, controls in place, and previous cyber incidents should all play into determining what the appropriate amount of that fund will be.
If you are lucky and don’t need your extra fund, then you can always apply it towards additional services that will improve the program. That could be something like an IR or DR tabletop or additional training for users.
No matter the maturity of your program, there is never a shortage of controls that can be implemented or improved upon.
Final Thoughts
Protecting the information and people impacted by it is the goal of any IT or security team, but it can be difficult to determine exactly what costs need to be accounted for. Creating a risk-based cybersecurity budget helps to anticipate expenditures and provide a structured plan to remediate any existing holes in a business’s security posture.
It is our hope that this guide can serve as a jumping-off point to help with creating a realistic budget—and verify that your company is considering its most critical needs.
Ensure your cybersecurity budget is optimized for protection and efficiency. Contact us for expert guidance in building a tailored, risk-based strategy that aligns with your business needs.
* * * * * *
Author: Lyle Melnychuk
I am a 20 year information security veteran, and I tell it like I see it. I’m not known for being politically correct, and this sometimes gets me into trouble. More often than not; however, clients and colleagues come to appreciate the candor and common sense approach. If you look at security (the right way), you’ll find that it’s just not as complicated as people make it. I hope you enjoy my writings on security and other miscellaneous things. I really have a strong and deep passion for helping people with technology and making the world a better place.
