While there’s always a difference between spending and an organization’s security maturity, the amount of the budget set aside for cybersecurity is frequently a reflection of the priority it’s given.
Why Should We Spend on Cybersecurity?
A good cybersecurity budget is built on outcomes. Most organizations should be able to say with a straight face:
If you can’t make these statements without a grin (or grimace), you’re not alone. Read on to understand how to make this the year that these statements come true.
Some really interesting statistics were recently posted at VPNGeeks.com for 2018:
https://www.vpngeeks.com/21-terrifying-cyber-crime-statistics-in-2018
More than enough to understand why this spending is no longer really optional. The more important question is how you should spend.
How Should We Spend on Cybersecurity?
Risks are usually addressed in one of three ways. We never recommend putting all your eggs into a single basket. The balance will be different between these areas, but the cost of addressing the risk is generally the lion’s share of spending (north of 80% in most cases).
How Much Should We Spend on Cybersecurity?
Not surprisingly, the short answer is: “More than we used to.” Cybersecurity threats continue to grow, breach costs and frequency increase, and many organizations are addressing security head on. Cybersecurity spending is expected to exceed $1 trillion in the next five years.
Gartner reports that its clients spend between 4% and 7% of the total IT budget on cybersecurity. Booz Allen Hamilton advises that security spending fall between 5% and 8% of the IT budget. Chief Security Officer (CSO) magazine reports that its subscribers dedicate 7.2% of their total IT budgets to cybersecurity.
All of these reports caution, however, that their numbers are probably low; cybersecurity spending may not always land within the IT budget. Because it affects so many areas, compliance, training, and assessment spending may not fall within that department’s spend.
Cybersecurity and Business Strategy
Much like IT, cybersecurity spending is often affected by how it’s presented. If the cost justification is mired in technical terms, industry jargon, and apocalyptic warnings, spending is often ignored and considered alarmist or unnecessarily complicated.
Cybersecurity should not be viewed as an “IT thing,” but as part of the organization’s overall business strategy (and aligned with company goals). An organization that grows through M&A has an inherently different set of cybersecurity challenges than one that expands organically. These differences should inform the approach, the spending, and the relative priority given to cybersecurity.
Where Should We Spend?
The basic building blocks that make up an effective cybersecurity strategy should be reflected in the budgeting process. They apply to organizations large and small; all are achievable, regardless of your budget:
By having conversations early and often about information security costs and cybersecurity spending, and setting aside a budget that acts as a guide for managing risk, you’re one step closer to being prepared when (not if) an attacker strikes.
To learn more about how to budget for cybersecurity, or to explore ways to protect your organization against data breaches, contact us!
Image by: yodiyim