Thinking beyond the budget: Investing in cybersecurity

Ask your cybersecurity team about budgeting, and they’ll say they never have enough funds. Ask the IT team, and they’ll say they need to upgrade their network infrastructure rather than invest in more security. Ask the CFO, and they’ll say security teams already have enough money. 

There is a finite amount of money available to share within an organization, and cybersecurity is still a relative newcomer to budget allocations. In most companies, the security budget is part of the IT budget, and while there is no set industry standard, most businesses spend about 10% of their IT budget on cybersecurity, and that can vary if compliance costs are included.

Considering what the security budget covers for day-to-day expenses—hardware, software, outsourced services, in-house talent—combined with the average cost of a data breach or other cyber incident—$4.35 million in 2022—it’s imperative to rethink the reasons for security spending. A cybersecurity budget isn’t merely money to throw at stopping a cyberattack; it’s an investment in your company’s overall business operations and financial goals. Your cybersecurity program adds to your organization’s overall worth.

According to HBK Insights: “Even beyond protecting your organization from potentially catastrophic data thievery, a cybersecurity program is an investment that adds real, quantifiable value to your business—added value clearly evident as owners look to merge or sell their businesses.” 

Spend money to make money

A cyber incident doesn’t just cost money in terms of fines and down time. According to an Arcserve survey, nearly nine out of 10 customers consider the trustworthiness of a business prior to purchasing a product or service and 59% of consumers will avoid doing business with an organization that has experienced a cyberattack in the last year. With nearly unlimited options, customers will walk away from a company when personal information is compromised in a data breach. Norton research also finds that  65% of consumers also consistently worry about their personal data being stolen. 

Don’t undervalue how security posture is linked to reputational value. If your security vulnerability is connected to a major supply chain cyber incident, companies will move away from doing business with you. Conversely, having a strong cybersecurity program and showing that you take security seriously is a major selling point to new partners and clients. A cybersecurity budget is really money spent to help support corporate market values and ultimately to boost revenue.

“Once organizations begin to focus on cybersecurity as the main course and not a side order in their IT spend, they’ll increase their profits and their reputation. And as a result, they’ll get new business opportunities. It really is that simple,” stated an Integris blog post.

Where to spend your security budget

A benchmarking approach can help focus your security budget. Talk to cybersecurity teams at businesses that are similar to yours—same industry, size, location, consumer base, etc. How do they implement their budgets? How have they built their best practices?

You can also conduct a risk assessment to see which areas need more funds and where you might be overspending. 

Additionally, consider issues like:

• Regulatory compliance. Some compliance standards dictate where your security spending must be allocated, which is a good starting point for setting your overall budget allocation.
• Priority shifts and new business initiatives. Is your budget designed to scale with changes to the business? COVID-19 forced organizations to rethink their approach to security as workers moved from mostly on premise to mostly remote. 
• Security training. The more aware users are about security risk, the more secure your organization will be. Short-changing funding for proper and thorough training will end up costing you in the long run.
• Cyber insurance. Ransomware has changed the info sec industry, and cyber insurance may not cover everything that it once did. Fees for insurance are rising. The requirements to be eligible for cyber insurance will also need to be accounted for. How you budget for insurance will be dependent on the amount of risk you’re willing to take.
• Salaries. Cybersecurity professionals are hard to find. The skills shortage is real. If you want to have a quality security team, you either need to pay in-house professionals a competitive salary with benefits to help prevent burnout, or budget for a managed security services provider. 

Budgeting for cybersecurity is more than spending money on a few tools designed to prevent a data breach. Cybersecurity spending is an investment in the business’ future and should be treated as such.