In many respects, a cyber security program with insufficient budget is like a car without enough gas to reach its destination. Not only will you not get where you need to go, when you eventually break down, you’ll find yourself in a particularly vulnerable spot.
Your organization’s cyber security program is only as good as the budget supporting it. That’s not to say bigger is better. In fact, paying for the wrong protections can be just as devastating as not budgeting enough. Every organization’s cyber security needs are unique. Anyone trying to sell you a “one size fits all” cyber approach needs to be shown the door – quickly.
Let’s unpack a few important considerations when developing a cyber security budget.
Why Is It Important to Budget for Cyber Security?
Roughly 90% of data breaches occur because of ineffective security and awareness practices. Once an organization has data that it stores, processes, or transmits to conduct its business, then it needs to ensure that data is protected. This includes data like social security numbers for employees and customers, proprietary system code that you have developed, or any information that if it were released would cause damage to your business or your clients. For virtually all organizations, this type of data is integral to their work, and any breaches could easily prove disastrous.
It’s also important to recognize that your cyber budget from five years ago may now be insufficient. As a business grows, so does its data, and subsequently, the cyber security controls needed to protect it. Without proper planning and budgeting for these expenses, it is quite common to pay three to four times more to react to a data security crisis. Taking the time to adequately budget for cyber security can save significant time, money and reputation.
Assessing Your Cyber Security Needs
As mentioned above, every organization’s cyber security needs are different. Taking the time to adequately assess your needs will ensure both that your organization has the right protections and that you’re spending the appropriate amount for them. Before we get into how much to budget for cyber security, there are a few more things to consider.
Where are you on your cyber security path?
Again, if you possess sensitive data about your organization, customers or employees, then you need a cyber security program. But first, do you have any policies and procedures in place that detail how that data is to be protected? Do you have security monitoring and device level security software to identify and stop attacks in your environment? If not, the first thing you need to budget for are these foundational aspects of a cyber security capability.
What strategic business and IT initiatives are taking place over the next 12 months or more?
If you have any strategic initiatives planned for the year ahead, it’s to be expected that as they’re achieved, they will result in new types of data for you to secure. To avoid unexpected costs, ensure that all of your strategic initiatives have resources available for protecting any new data. Even if that data is being added to an existing system, that will require cyber security reviews and solutions to make sure you have not introduced a new security exposure when expanding the system.
Have you or other businesses in your industry had any previous cyber-attacks?
Maybe you have been hit by ransomware already or maybe it was just a scare. Either way, this type of exposure also drives the type of budget that you need to put in place to prevent other attacks. If you have been attacked once and do not have an organizational cyber security capability or program, then you can expect that you will be attacked again.
Are you indirectly already paying for some cyber security?
While every organization that has data must invest in its protection, not all of that investment is a direct expenditure. For example, if you solely utilize a third-party vendor for an outsourced service (e.g., QuickBooks Online for financial management or an IT managed service provider for networks management), then some of these costs may already be baked into those services. Therefore, you need to ask what cyber security services are included in their packages before developing your budget.
Common Pitfalls to Avoid When Developing a Budget
Now that you’ve assessed your security needs, it is time to get down to developing a budget. Here are the common pitfalls to avoid during this process.
Not knowing what you need and planning for it
Companies that underestimate their cyber security budget often must scramble to find money to implement critical protections to fend off an attack when one arises. The first thing to understand is what you need. However, this can be tricky for an executive who doesn’t understand what’s involved in establishing a cyber security capability.
To avoid this pitfall, you need someone knowledgeable who can give clear guidance on what’s necessary and develop a multi-year roadmap with budget considerations. Many times, we tell our clients you cannot protect what you do not know about. You first need to identify your cyber security issues and exposures before putting a dollar figure against it.
Including cyber security in your IT budget
Cyber security services and IT services are not the same. IT focuses on technology resource availability and cyber security focuses on protection. In fact, cyber security is a good checks and balance on the information technology function in a company. It is hard to design, develop, implement and manage an IT function, while also thinking of all of the ways a hacker can exploit it.
Therefore, it’s always important that a cyber security budget is separate from an IT budget, as they serve two very different function in an organization. When combined, the budget owner constantly will be put in a position of taking from one area to shore up overruns in another area, leading both to suffer.
Expecting your IT Director to budget for cyber security
Like we just discussed, IT and cyber security are not the same nor are the people who do the work. We hear from a lot of stressed IT directors who don’t know what to put into a cyber security budget simply because they do not know all that’s involved in securing the environment. They only know the parts that touch them. That stress gets even worse when they are reprimanded by leadership for not appropriately allocating enough budget to protect the environment and then having to make out of budget cycle funds requests.
Think of it this way: your IT Director and your cyber security person are two doctors with different specialties. While they both practice medicine, one doctor may be a general practitioner and the other doctor is a heart surgeon. You wouldn’t expect the general practitioner doctor to perform heart surgery and you wouldn’t expect the heart surgeon to perform your regular checkup and prescribe your routine medication.
Expecting your insurance company is going to pay for your cyber security program
Some companies erroneously think their insurance company will pay for any cyber security needs, and therefore, they don’t need a cyber security budget. This is a huge pitfall because many insurance companies make their clients go through an underwriting process before issuing a cyber security policy. During that process, they require the client sign documentation saying they have a cyber security program or certain cyber security practices in place. Should a breach occur, the insurance company will first do a forensic investigation. If they find out that the company didn’t have a robust enough program and security protections in place, they will deny the claim leaving the business to fully fund recovery from the incident.
How Much Should You Budget for Cyber Security?
So, your assessment’s done, and you have an understanding of what you need. Now, how much will it all cost? There are varying views, typically ranging between 10% and 20% of an organization’s overall IT budget allocated for cyber security. However, that is not always a hard and fast rule. If an organization has nothing in place, it will surely cost more than if they have some technology or processes already in place.
Additionally, with how rapidly cyber security evolves — and how much rates can vary by industry or geography — it’s important that your budget accurately reflect current market rates.
We’ve seen several strategies for getting the requisite market information to inform a cyber security budget. Here are two of the most common ways:
- Have an external cyber security expert develop your budget. This can be a low-cost effort, informed by someone who knows the going market rates in your area for cyber security technology and related services. For organizations with boards or other oversight authorities, it helps the leadership make the business case for any cyber security investment since it was performed by a knowledgeable and certified external party. Also, these individuals will have experience preparing budget documentation to withstand leadership and board scrutiny.
- Request quotes and/or develop and release a Request for Proposals (RFP). This is another low-cost strategy, which does require some investment of time to develop, release, and evaluate RFP responses from vendors. This should only be done when you have someone internally with some knowledge of cyber security services and solutions to vet the proposals.
Making the Case for a Cyber Security Budget
Figuring out how much you need to budget for cyber security is one thing, getting your budget approved is another, which generally includes a presentation to leadership. Here are the top items that need to be included when presenting your cyber security budget to ensure its success:
Tie each investment to a strategic initiative
This can either be helping current initiatives to deliver full and secure value to the organization or it can be tied to future business objectives. As mentioned before, each business activity results in data that is stored, transmitted, or processed. Make sure each line item on the budget specifically relates to a strategic initiative.
Calculate cost avoidance numbers
This is one of the easiest and simplest ways to get management on board with investing in cyber security. Help them see the cost of an actual data breach and compare it to the investment you are requesting for cyber security.
One of the most common ways is to take a relative estimate of how many data records that are in the environment. Then, take the average cost per record for your industry from the annual Ponemon Institute study, the official resource used by cyber security professionals and insurance companies to estimate the relative cost of a data breach and the cost per record by industry. For example, let’s say a healthcare organization has 100,000 records that are sensitive — either by confidentiality, integrity, or availability. The average cost of a data breach per record is $429. If 100,000 records are breached, then the estimated cost to recover from the breach (including response, forensics, breach notification, brand/customer impact, fines) would be $49,900,000.
Tie cyber security investment to other risk management investments made by the organization
Leadership may not immediately see cyber security as the cost of doing business. You need to help educate them. The investment in cyber security is no different from other organizational risk management controls, such as having robust finance functions with checks and balances to prevent embezzlement. Cyber security is a checks and balance to make sure that there are no unhealthy practices taking place (either knowingly or unknowingly) in the IT environment that can lead to data breaches.
With each year, more organizations fall victim to a data breach or cyber-attack – often causing significant financial and reputational costs. If your organization relies on sensitive data for any function, you need a cyber security plan and a budget to support it. Everything we’ve outlined should equip you with the right questions and insights to begin developing a cyber security budget for your organization. That said, if you still have questions, we’d love to help you figure out your budget however we can.