It’s less expensive to prevent cyber attacks than it is to repair the damage when they happen. Companies and institutions across industries lose money from cyber attacks all the time. There are the more obvious ways like piracy, data breaches, and litigation. There are also ways that accountants can’t quite put a dollar figure on, such as reputational damage that makes customers and clientele less likely to want to buy a company’s products and services in the future.
Everything is digital these days, both on premises and in the cloud. So cybersecurity staff and security measures are things you have to spend money on. But how should your company determine how much money to budget for security? And how should your company determine how to spend it?
Photo by Fabian Blank on Unsplash
What is a typical cybersecurity budget?
While there is no one-size-fits-all answer when trying to decide what a “typical budget” looks like for cybersecurity operations, there are a few studies that have been done that can provide some insight.
A recent study by Deloitte and the Financial Services Information Sharing and Analysis Center found that financial services on average spend 10% of their IT budgets on cybersecurity. That’s approximately 0.2% to 0.9% of company revenue or $1,300 to $3,000 spent per full time employee. For a bigger picture benchmark, consider that Microsoft CEO Satya Nadella recently revealed in a statement that the tech behemoth “will invest more than $1 billion each year in cybersecurity for the foreseeable future”. Finally, it’s worth noting that the 2019 U.S. President’s budget allocated $15 billion in spending on cybersecurity, about 0.3% of the entire fiscal budget ($4.746 trillion).
And while none of these figures can clarify what a “typical” budget should look like for the average business or organization, they can at least provide a benchmark for how larger tech firms, financial service companies and governments are allocating cybersecurity spend as a percentage of overall budget.
Considerations for your cybersecurity budget
There are so many different variables and factors involved when it comes to determining your cybersecurity budget. I’ll offer you some tips which can be used as a starting point to help your company decide.
I asked Kate Brew, from AT&T Cybersecurity, to send a tweet to get views from various industry decision makers. The question was “Cybersecurity budgets come in many sizes. How does your company determine yours?” Here are some responses, which should illustrate what typical cybersecurity budgets are. Some of the responses were a bit tongue-in-cheek:
- “They keep me far away from budget/financial decisions at my company but I’d like to think a d20 is involved somehow...” (I love Dungeons and Dragons references!)
- “Yeah. They most often range in size from ‘miniscule,’ to ‘barely visible to the unaided eye.’”
- “Pick a number and subtract that number from itself. That's your budget."
- Someone posted an image of a dart board. Perhaps a roulette wheel would’ve been more appropriate?
- “What is this ‘budget’ of which you speak?”
- “Spin the bottle of money. It's just like the game we played last night at the party. The only difference is there was less tongue in Spin the Bottle at the party.”
- Of course, someone else posted a GIF of a Magic 8 ball. All signs point to yes?
As you can see, cybersecurity budgets are a pain point for many corporate IT departments. Fortunately some of the other responses were more serious:
- “We never had a cybersecurity budget until recently when I said we need a dedicated budget for it. So they took a chunk of the IT budget and told me to be grateful! So we have no more money overall, but some for cybersecurity!”
- “I’m a consultant and what I’ve noticed... cybersecurity budget = cost to meet compliance.”
And here’s what I consider to be the most useful response:
- “Most seem to be a subset amount carved out of total IT budget. Typically around 3-5%. Most of that budget revolves around (many) tools and few people running them. Security maturity developed around a framework with associated people, process, tech seems to be lacking for many.”
If you need to figure out what an appropriate cybersecurity budget is for your business, you may want to start by thinking about ROI, return on investment. For example, spending $100,000 per year is a good investment to prevent a potential $1 million per year lost in cyber attacks, but it would be overkill if you only save $50,000. One step forward, two steps back!
Bruce Schneier has some wise words when it comes to budgets and ROI. He explains that it’s trickier to apply to cybersecurity than it is to apply to more traditional areas like marketing and staffing.
“Cybersecurity (ROI and annualized loss expectancy) is considerably harder, because there just isn't enough good data. There aren't good crime rates for cyberspace, and we have a lot less data about how individual security countermeasures—or specific configurations of countermeasures—mitigate those risks. We don't even have data on incident costs.
One problem is that the threat moves too quickly. The characteristics of the things we're trying to prevent change so quickly that we can't accumulate data fast enough. By the time we get some data, there's a new threat model for which we don't have enough data. So we can't create ALE (annualized loss expectancy) models.”
A Gartner report from December 2016 says that the companies they’ve researched spend an average of 5.6% of their overall IT budget on cybersecurity, with a range of about 1% to 13%. So there’s a good idea of what a typical cybersecurity budget is. But there’s no one-size-fits-all budget guidelines, even within the same industry.
Here’s my advice. First make an inventory of your data assets and what they’re worth to your company. Then consider what your company needs to do in order to comply with industry regulations that may apply to your business, such as healthcare’s HIPAA or the European Union’s General Data Protection Regulation (GDPR.) Then look at what your company’s overall IT budget is. If what you need is about 20% or less of your general IT budget then you probably have a useful figure to start with.
Are security budgets increasing?
The report I cited is nearly three years old. But the cyber threat landscape is constantly evolving and computer technology changes rapidly as well. All of that has an effect on how much your company should spend on cybersecurity. So what’s the situation in 2019? Are security budgets increasing?
For a clearer picture, I looked at ISACA’s State of Cybersecurity 2019 report. ISACA asked survey respondents “How, if any, will your organization’s cybersecurity budget change in the next twelve months?” Only 12% said that it would decrease. 34% said it would stay about the same. But 55% said it would increase. Are the respondents happy with that? Only 5% said cybersecurity was overfunded. 34% said that the budget was appropriate. But a whopping 60% said that cybersecurity is underfunded. So we can conclude that budgets are slightly increasing in general, but most cybersecurity professionals believe that their budgets should increase even more than that. ISACA’s data reflects the Twitter anecdotes that we’ve gathered for this post. So when in doubt, you should spend more in 2019 rather than less.
Tips for how to justify your cybersecurity budget ask
Asking for larger cybersecurity budgets is frustrating for many IT people and security practitioners. Most C-suite members lean more business than technical, and they might not understand that spending more money on cybersecurity now can prevent huge cyber attack losses in the future. So how do you justify your cybersecurity budget ask?
If your company has a CISO (Chief Information Security Officer), this responsibility will largely rest on their shoulders. Carbonite CISO Larry Friedman said, “CISOs should always align with the business when evaluating how to spend. Security spend should be calculated based on the risk associated with assuring continuity with important business processes.”
Whether or not your company has a CISO or a CTO (Chief Technical Officer), you’ll need to make a case to the CFO, COO, or CEO. Those types of executives think in dollars and cents and it helps to speak their language. How much money will your company save from spending more on cybersecurity?
In order to prove the worthiness of a financial investment in cybersecurity, it helps to have some provable figures and metrics. For that, implementing security intelligence and analytics tools will help a great deal. Here’s an example.
- How many DDoS (distributed denial of service) attack attempts does your network experience in a typical year?
- Have you had any data breaches?
- Have employees succumbed to email and web phishing attempts?
From there you can explain the need for DDoS mitigation measures, data loss prevention systems, and employee security training. And the list goes on. Be ready with hard figures and specific details. That’ll be much more effective than saying “we need to spend $5 million more per year on cybersecurity.” Spend it on what exactly? Executives generally understand that money has to be spent effectively in order to not be wasteful. It’s not just how much money you spend but also how you apply it.
Cybersecurity budgets are a complicated issue and there are no easy answers. They’ll vary considerably according to your industry, the size of your company, what sort of networks you have, and so on. But hopefully this post is a good starting point to help your company spend enough money on cybersecurity, and spend it in the right way.