How much do organizations need to spend on cybersecurity? Plenty of benchmarks — broken down by industry, company size, and overall IT spend — offer a good starting point. But those benchmarks can’t tell you everything you need to know about an individual organization’s needs.
Cybersecurity budgeting is a complex and evolving process that requires chief information security officers (CISO) to know the ins and outs of their organizations and how to make a compelling argument for resources that C-suites and boards will understand.
Five cybersecurity leaders share their insight into budgeting challenges and strategies with InformationWeek.
How Much Does Cybersecurity Cost?
Settling on a number for cybersecurity spend is often a question of risk. What are a company’s biggest cybersecurity risks, and what is its tolerance for those risks? “The risk tolerance is informed by the mission, competitive landscape, regulatory requirements, and culture of the company,” says Ken Deitz, CISO and CSO of Secureworks.
Some risks are easier to quantify. Potential fines relating to a data breach and lost revenue during downtime have easily identifiable dollar values. Other risks, like reputational damage, have a more nebulous but no less important cost. What does a company need to spend to bring risk mitigation in line with risk tolerance?
“A good general rule for a technology dependent company that has very little tolerance for reputational damage arising from a cybersecurity incident is upwards of 10% of total technology budget dedicated to cybersecurity,” says Deitz.
Once CISOs have a clear picture of an organization’s risks, they can begin to connect those risks to company goals. This serves as the foundation for a cybersecurity spending roadmap. Every organization’s roadmap will be different. For those with relatively new cybersecurity programs, a large chunk of the budget will likely be dedicated to the people managing manual processes. Organizations with more mature cybersecurity programs may spend more on security tool development and automation.
“I think the first thing that needs to happen is an assessment of the current state of the security program, so they can identify where gaps and maturity needs to happen, and then plan and budget for those improvements and sustainment activities,” Max Shier, vice president and CISO at Optiv.
Where Does the Money Go?
Securing a cybersecurity budget requires CISOs and other budgetary champions to show how resources will be allocated.
- People. Talent is a big line item in any cybersecurity budget. “Unsurprisingly, cybersecurity staffing and compensation make up the largest portion of a security budget, and the shortage of skilled security professionals is certainly increasing the cost of hiring and retaining security talent,” says Tim Chase, global field CISO at Lacework.
- Third-party services. Many organizations have a blend of in-house and outsourced cybersecurity functions. “The ‘people’ bucket is shifting more to contractors and managed services, especially given today’s economic climate,” points out Nick Puetz, managing director in the security and privacy practice at Protiviti.
- Tools. Organizations need cybersecurity tools to protect sensitive data, detect cyberthreats, and manage incident response. Finding the balance between prevention and detection can be one of the challenges of cybersecurity budgeting. “Both are important, but there is only so much money to go around,” says John Hernandez, president and general manager of Quest Software.
- Compliance. Governance, risk, and compliance spending can be an important component of cybersecurity, particularly in highly regulated industries.
How Do You Make the Case for Cybersecurity Spend?
Cybersecurity awareness at the executive and board levels has grown, but CISOs still must make a compelling argument to secure their budgets.
“Many times, implementing stronger preventative measures also means spearheading a culture shift within the organization,” says Hernandez. “Having enough insight into the impact on the company and what it will take to implement those changes can be a big challenge.”
In many ways, successfully securing a cybersecurity budget is about building relationships. CISOs, or any other cybersecurity leader spearheading the budgeting process, needs to be able communicate the risks, how they tie to the organization’s overall success, and what the requested budget will do to manage those risks. “One of the CISO’s primary jobs is to interpret requirements and needs into a language the board and senior executives can understand,” says Shier.
Understanding the backgrounds of the people you are trying to convince can be useful. Chase points out that a board member that comes from a banking background, for instance, is going to be focused on raw metrics. CISOs can use that knowledge when they make budget asks.
Budgeting takes a lot of legwork. Simply showing up during scheduled budget meetings, or during a cybersecurity crisis, is unlikely to yield the best results. “I try to sit down with finance and my leadership team prior to submission to ensure we are all on the same page as to why a line item is there, how we got to that number, what is included in the license or service, and how it helps the security program and business,” Shier details.
Hernandez stresses the importance of providing cybersecurity education. “Hold peer or learning sessions with cybersecurity leaders or investigators who can pull back the curtain and explain the impact of breaches or security incidents on the organization and its reputation, without resorting to acronyms and buzzwords,” he recommends.
Remember that securing a piece of the budget once is a win, but CISOs will need to continually return to the budgeting table. “Trying to scare everyone into taking an oversize piece of the budget is a poor long-term strategy,” says Deitz. “A cybersecurity leader must show that they are part of the business, and that cybersecurity is integral to success.”
How Do You Avoid Waste?
A cybersecurity budget can easily feel like it’s stretched too thin, but that does not mean there isn’t the potential for waste. “Cyber teams … tend to procure new technology every time a new risk is identified, which results in overspending, inefficient technology implementation, and unnecessary complexity,” Puetz offers as an example of waste.
Evaluating current solutions before investing in something new can help avoid unnecessary spending. “I sit down with our vendors at least twice a year to understand new capabilities and their roadmaps to see if we could better leverage capabilities we already have or implement more capabilities that may have been released by the vendor,” Shier shares.
Consolidating vendors and solutions can also help cybersecurity teams avoid waste. One solution that addresses multiple risks versus several disparate solutions can mean lower costs.
When Does a Cybersecurity Budget Need to Be Updated?
A cybersecurity budget is not static. It must be updated to keep up with an organization’s risks and the evolving threat landscape. How often the budget is reassessed will be a function of an organization’s industry and unique risks. For some organizations, quarterly assessments may be enough. Chase notes that health care organizations may revisit cybersecurity spending more often due to the prevalence of ransomware attacks in their industry and the costs associated with those attacks.
At Optiv, Shier takes a proactive approach to budgeting. He meets with the finance team each quarter to talk about current spend versus planned spend. Six months to a year before a license expires, he and his team sit down to discuss any potential spending or vendor changes.
“We start budget review and planning at least three months prior to fiscal year end to ensure we adequately plan for projects, staffing needed for implementation and sustainment, and to account for any changes to the security stack or vendors,” he says.
Scheduled budget talks are important, but the speed at which the cybersecurity landscape, and the accompanying risks, change can necessitate more frequent conversations. “If risk and spending are out of sync, something needs to change,” says Puetz.