Budget

With evolving and emerging cyber threats, setting aside enough budget for cyber security initiatives is increasingly important. Recent standards indicate that many firms set aside about ten percent of the total IT budget for cybersecurity. The question is if a fixed amount is the correct way of allocating resources? The budget needs to be set in correlations with other costs in the organization. But, is a percentage of IT budget enough for protecting all your IT environment and investing in security training and awareness, new security solutions, network essentials, perimeter and next-gen data loss prevention, as well as regulatory and compliance adherence? In modern organizations, ten percent may just be a starting point.

Use these approaches for setting your cyber security budget in the year ahead.

Benchmark Approach to Cyber Security Budgeting

How’s your company doing regarding cybersecurity?prevention, detection, and response? It might be difficult to answer this question. If it is difficult to answer that question, then you might consider a benchmarked approach to setting your cyber security budgets and investments.

A benchmark approach looks at how you’re operating and compares it to your peers, a framework, a comprehensive study, or a group of interviewed organizations. When an organization can observe the best practices of other security teams (organizational structure, level of investment in security, KPIs, etc.), the organization can quantify its results and prepare a standard cybersecurity budget that begins to improve on weaknesses and strengthen opportunities.

Risk-Based Approach to Cyber Security Budgeting

If you start with a risk-based approach to setting your budget, you begin to share with your Leadership Team the categories of risk for each area in your information security portfolio. A risk-based approach is often considered a budgeting method for mature security organizations because they can categorize risks across several domains and budget based on the cost to mitigate cyber risks. Uses a framework similar to the NIST Cybersecurity Framework where five domains represent the information security lifecycle.

Other things to consider is

1. The cost of a risk assessment to assess where there are gaps in the current security solution. This activity is not only helpful but may be required by third parties, like the Payment Card Industry (PCI) to process credit cards or may be required by law
2. What is the existing operational security spend (what it will cost to “keep the lights on” and continue to operate the infrastructure currently deployed)? Is this number trending up or down?
3. Are there projects that need to be developed and implemented to keep risks at an acceptable level? What are the estimates for those projects? I suggest having them prioritized so you know what can be delayed based on the budget negotiation process.
4. What level of spend can you justify for new technology? If you spend some today can you save more tomorrow? Have there been legislative initiatives put in place, or expected on the docket, that will require new or upgraded solutions to be deployed?
5. Staffing, always a hot item, will it go up or down? Assuming down, by how much? Does this make outsourcing more or less attractive? If staffing goes up, how much of an increase will be approved and when will you plan on bringing the new team members onboard? How will the cost of automation projects impact the budget and will they result in cost savings or productivity increases for the next budget year?
6. Staff retention. It is always less expensive to retain good staff then to replace them. Look at what it will take to keep your team interested and excited and add that to the number.
7. Now for the fudge factor. Every year there can be unexpected activities that can drive up spending. With the explosion of ransomware make sure there is money budgeted to restore data from a backup instead of paying a ransom, which historically may not work or may lead to additional ransom requests. This, and other unexpected events, would go into the fudge factor of your budget.While there is no one-size-fits-all answer when trying to decide what a “typical budget” looks like for cybersecurity operations, there are a few studies that have been done that can provide some insights.

A?study by Deloitte and the Financial Services Information Sharing and Analysis Center?found that financial services on average spend?10%?of their IT budgets on cybersecurity. That’s approximately?0.2% to 0.9%?of company revenue or?$1,300 to $3,000?spent per full time employee. For a bigger picture benchmark, consider that Microsoft CEO Satya Nadella revealed in a statement that the tech behemoth “will invest more than?$1 billion each year?in cybersecurity for the foreseeable future”. Finally, it’s worth noting that the 2019?U.S. President’s budget?allocated?$15 billion?in spending on cybersecurity, about?0.3%?of the entire fiscal budget?($4.746 trillion).

And while none of these figures can clarify what a “typical” budget should look like for the average business or organization, they can at least provide a benchmark for how larger tech firms, financial service companies and governments are allocating cybersecurity spend as a percentage of overall budget.

Back link

https://www.dhirubhai.net/pulse/value-niklas-fredengren

Forward link

https://www.dhirubhai.net/pulse/investment-niklas-fredengren