Optimizing Your Cybersecurity Budget

“Money should not be a thing when it comes to cybersecurity” is a phrase often uttered by people who know very little about money in general and even less about cybersecurity.

In fact, money is important. It matters a lot. If money doesn’t matter, even the most modest organization can hire a team of experts to work around the clock to build, operate and maintain a military-grade cybersecurity infrastructure.

The truth is that cybersecurity, like any other business process, must follow the budget.

Budget optimization

Budgeting for security can be challenging because the nature of vulnerabilities changes daily. “We, as an online practice, do not believe there is one magic software or platform,” says Rahul Mahna, Managing Director of Managed Security Services, Risk and Regulatory Compliance Inc. EisnerAmper Digital. He proposed creating a budget that adheres to three distinct visions: reflections of past events (to prevent past mistakes from being repeated); current security needs; and future plans.

All cyber events and impacts are not equal, and organizations cannot equally defend and recover from them. “Leaders are advised to improve cybersecurity spending by first identifying risks that are unique to their organizations with specific dollar terms,” says Andrew Morrison, head of cyber risk, defense and response services strategy at business consultancy Deloitte. Estimating the magnitude of cyber risk allows leaders to calculate the expected losses from a cyber event in dollars. “Through detailed modeling and scenario simulation, it is possible to establish fairly accurate estimates of the financial loss that would result from a cyber event – ​​and to help determine how to allocate and prioritize cyber spending to more effectively address these specific risks.”

Avoid pitfalls

Many organizations start building their cybersecurity budget under the false assumption that they will never be attacked. Then they think they can safely reduce their investment in cybersecurity. “I can think of thousands of companies that have felt the same way,” says Alan Brill, senior managing director of the cyber risk practice at governance and risk consultancy Kroll. Most eventually learned – the hard way – that attacks can infect any organization at any time.

It doesn’t matter if the organization is high, medium or low level, since attacks are often random and/or automated. In many cases, it feels like you’re a duck at a shooting fair. “If you are using a particular program, and that program has a previously unknown vulnerability, you can be successfully attacked,” warns Brill. “There are no guarantees.”

One of the biggest mistakes organization leaders make when building and allocating their electronic budgets, Morrison says, is to take a “peanut butter approach — distributing money evenly across all cyber domains in an effort to mitigate risk at scale. The challenge for the peanut butter approach is that Organizations are underinvesting in the areas that actually pose the greatest risk while spending more in the least risky areas.” For example, in some organizations, the security of the supply chain and its underlying operational technology may be more important to business operations than the security of cloud transformation efforts.

Mahna says his clients usually only care about cybersecurity when there is a compelling reason to start the conversation. “Customers then are very aggressive about having lengthy discussions and want to fill in the many gaps we identify with risk-based solutions,” he explains. Then… absolutely nothing happened. Mahna notes: “At this juncture, there is usually a ‘pause for complacency.’ We call it the ‘run fast and go nowhere’ mindset.

Since nothing terrible happens during the pause, the customer usually begins to think: “Why spend this money if everything looks so good? They completely forget the original compelling reason to start the conversation.” This is usually the biggest mistake, says Muhanna. , usually when a negative electronic event occurs.

construction support

Winning administrative support is an essential step towards creating a realistic and effective cybersecurity budget. “It can be really difficult for internet teams to prove passivity — there is value in significant cyber spending if revenue is not lost as a result of a cyber event,” Morrison explains. “However, when cyber teams have justified models in place to demonstrate the likelihood and impact of potential cyberattacks specific to the organization’s unique and existing threat profile, it can help paint a clearer picture to the rest of C-suite members, the board of directors, and other stakeholders on the value of the genuine cyber investment required.” .

Takeaway Cyber ​​Security Budget

Brill notes that budgeting for cyber defense, managing risk, and preparing for an incident is simply part of doing business in the 21st century. “Recognizing the possibility of an incident occurring, and resulting in charges not being budgeted for, is a fact that every organization must recognize and plan for.”

Related content:

The cost of a ransomware attack, Part 1: Ransomware

CIO Agenda: Cloud, Cyber ​​Security, and AI Investments in the Future

Where IT leaders are most likely to spend the budget in 2022


Leave a Comment