Cybersecurity Budgeting 101: How to Optimize Your Security Spend for Maximum ROI
How should you be spending your security dollars for best results?
A good starting point is asking yourself what you are trying to protect, why you are trying to protect it and what your current cybersecurity posture is.
Answering these questions will help you determine which security expenses you absolutely require, which ones you could do without and help you clarify what you want to focus on going forward.
In response to the increasingly dangerous cyberthreat landscape, the digitalization of businesses and stringent compliance requirements, organizations are spending more money on security initiatives than ever before. In fact, the global enterprise security spending is forecasted to grow by 8 percent to a total of $96.3 billion in 2018, according to research and advisory firm Gartner. On average, organizations tend to spend 5.6% of their overall IT budget on cybersecurity. Recent studies demonstrate that more than half of organizations consider security to be a top priority in their IT budgets for 2018.
With security spending on the rise, IT and security professionals find themselves confronted with a sheer infinite number of the latest and greatest security tools, technologies and services that are supposed to help them protect their organization’s critical assets. More often than not, “figuring out a cybersecurity budget is often a mix of emotion and guesswork”.
If you’re involved in determining your security projects and related budget for the fiscal year, where will you be spending? Where will you stop spending? And, most importantly, how can you know whether your security investments are effective enough to pay off?
Here are five recommendations* that we’ve learned about strategic cybersecurity budgeting over the years to help you optimize your security spending for maximum return on investment.
- Know what you are trying to protect and why
- Define your risk appetite
- Align your security spend with potential losses
- Beware of promising security technologies
- Measure the effectiveness of your security strategy
*This list is not meant to be exhaustive but focuses on a selection of best practices that we feel are most helpful.
Know what you are trying to protect and why
Surprisingly enough, many organizations implement a variety of security measures and strategies without first considering what it actually is that they have. They are unsure about what it is that is worth protecting and what is critical for ensuring continued success for the business. Although cybersecurity awareness has increased over the last couple of years, the following examples show how the decision to implement cybersecurity measures can differ from one company to the other:
- A healthcare provider, for example, should have a vested interest in keeping confidential patient data safe against identify theft.
- An online retailer or supermarket chain should focus on securing their payment processing activities as required by the Payment Card Industry Security Standards Council (PCI SSC).
- A financial institution, storing and handling vast amounts of critical data every minute of the day, should focus on securing their customer’s financial information and protecting their assets from fraud, ATM fraud.
- A technology company that generates their revenue from selling innovative products should, first and foremost, protect their intellectual property.
- A manufacturing plant should ensure 100% uptime of their operations and prevent disruptions to their manufacturing processes and industrial control systems.
“Whether you’re an entrepreneur, an employee, a leader of a team or division or you want to tackle the WHY of your entire organization, discovering the WHY injects passion into your work. And it’s those who start with WHY that have the ability to inspire those around them.” (Start with Why, 2018)
In the words of the famous Simon Sinek, author, motivational speaker and marketing consultant, how about starting with why? Knowing the motivation behind security spend will help you make better decisions and avoid wasteful spending without a sense of direction.
Without identifying what is really critical to your business success, you will probably struggle to legitimize a security expense that is not directly correlated with helping you protect what’s critical. Worse even, you may invest huge chunks of your budget in something that may end up wasting your money rather than putting it to good use. A cybersecurity posture assessment from an independent security expert can help you figure out what you have, where to start and how to reach your goals.
Define your risk appetite
According to the Institute of Risk Management, risk appetite can be defined as “the amount and type of risk that an organization is willing to take in order to meet their strategic objectives”. In other words, any security spending decision should be guided by how much risk your business is willing to take, what the business impact of a data breach would be and how much it would cost you to invest in adequate data protection measures.
Examples of organizations with different levels of risk appetite:
- A young company in a highly competitive and rapidly evolving industry will tend to take more aggressive actions to gain a competitive advantage and achieve its strategic objectives.
- An established company in a mature industry will tend to take more conservative, cautious actions to protect its current position and sustain market share.
When it comes to defining a cybersecurity budget for your organization, you should shy away from blindly comparing yourself to other companies in your industry and projecting their security spending patterns unto your business. While security spending statistics are indicative of general spending patterns and can provide guidance, they should be taken with a grain of salt.
As Rob McMillan, research director at Gartner, rightfully assessed:
“[…] you could be spending at the same level as your peer group, but you could be spending on the wrong things and be extremely vulnerable. Alternatively, you may be spending appropriately but have a different risk appetite from your peers”
Your organization’s risk appetite will have to be discussed and defined in collaboration with your executive management team, Board of Directors and other key players as necessary. Multiple considerations need to be taken in the process of determining your risk appetite (see figure below). Once properly defined, your risk appetite can guide your team in setting clear objectives that will support your vision and are in line with your risk tolerance.
Figure 1: Overview of Considerations Affecting Risk Appetite (Source)
Align your security spend with potential losses
When it comes to determining an ideal cybersecurity spend, too many organizations blindly follow generalized recommendations. For example, an IDC research commissioned by IBM determines the ideal cybersecurity spend to be anywhere between 9.8% and 13.7% of the organization’s overall IT budget. While this approach may serve as guidance and provide approximate instructions, it would be too simplistic to rely on a percentage alone without taking into account the ratio between your cybersecurity spend and potential losses.
One of the core principles of effective cybersecurity budgeting is to make sure that whatever you decide to spend on cybersecurity does not outweigh the potential monetary impact that a cybersecurity incident may have. In other words, don’t spend more money trying to protect something that would cost you less to lose.
Let’s look at a couple of examples:
- Your organization is currently spending $200,000 per year on cybersecurity controls, technologies and incident response strategies. If you were to be exposed to a given risk, which would make you lose up to $100,000, you know that you’re doing it wrong and spending too much.
- Your organization operates a data center in an area that gets hit by an earthquake every 4 years. The cost of rebuilding your data center as well as operational losses amount up to $4 million (i.e. $1m each year). If you are spending $1.5m each year to protect your data center, you’re doing it wrong.
Both examples illustrate that a cybersecurity budget should be defined in relation to what your potential losses might be. It cannot be taken out of context and should not be defined on the basis of its proportion of your overall IT budget alone. Again, a cybersecurity posture assessment can help your organization identify what the value of your data is and which potential losses you would face in the wake of a cyberattack.
Beware of promising security technologies
In today’s jungle of overly-hyped security software and solutions, we’ve often encountered customers who once put all their faith into purchasing the latest and greatest security tools, secretly hoping that it would help them address their cybersecurity concerns. Today’s information security market is flooded with promising tools, such as Security Information and Event Management (SIEM) software, which is often costly to acquire and even a bigger hurdle to configure and maintain.
Too often, organizations forget that cybersecurity is a human issue rather than a technical issue. As we have seen before, cybersecurity needs are contextual to each organization and require careful evaluation, strategy development and decision-making – not just a set of tools that are installed and then forgotten.
Regardless of which security technologies you have implemented, make sure you have the proper in-house expertise and bandwidth to operate these technologies and finetune them for maximum ROI. Unless you’re a multinational corporation with a huge cybersecurity budget, chances are you won’t have the internal resources, time and budget to deal with cybersecurity on your own. Instead, you may decide to outsource your cybersecurity to a reputable security service provider who can help you maximize your return on investment with targeted, impactful security campaigns.
Measure the effectiveness of your security strategy
“If you cannot measure it, you cannot manage it.” – Peter Drucker
Shockingly enough, a large majority of organizations don’t measure the effectiveness of their cybersecurity efforts against industry best practices and performance indicators. Instead, they go blind when it comes to reporting on their cybersecurity ROI to the Board of Director or to their management team. Here are a couple of alarming statistics from the 2017 State of Cybersecurity Metrics Report:
- One in three companies invest in cybersecurity technologies without any way to measure their value or effectiveness.
- Four out of five companies don’t know where their sensitive data is located, and how to secure it.
- Two out of three companies don’t fully measure whether their disaster recovery will work as planned.
And even if organizations have some sort of measurement in place, too many still use good old Excel spreadsheets to list their cybersecurity tools but fail to monitor their effectiveness on a regular basis. Manual updates complicate tracking, create unnecessary tasks for the security team and can lead to confusion.
Before investing portions of your budget in costly cybersecurity tools, make sure that you will be fully capable of measuring their effectiveness once they’re implemented in your organization. A cybersecurity analytic tools can offer visibility of your organization’s cybersecurity posture and effectiveness, for example in accordance with the 20 Critical Security Controls. Plus, it can evolve over time and how you can lower your cybersecurity risk in line with your business objectives.
Related post: Why Organizations Aren’t Using Cybersecurity Frameworks
When it comes to strategic cybersecurity budgeting, we have learned that contrary to popular belief, there is no golden rule of how much organizations should be spending on security measures. In fact, organizations are best advised to approach their cybersecurity budgeting exercise by keeping their specific business context in mind. The more critical data you have to protect, the more important security will become for your organization’s continued success, financial standing and reputation.
Regardless of which industry you operate in, your security budget should be aligned with:
- the amount and relevance of data you process
- your level of threat exposure
- your risk appetite
- the applicability of regulatory requirements
Without evaluating your cybersecurity posture first, your organization may run the risk of implementing measures and strategies that are neither aligned with your business context, nor effective in protecting your critical data.
In the end, security spending will be judged based on its relevance and effectiveness for the business, and not on whether it includes the supposedly best security tools since sliced bread.
Stay focused on what really matters for your business and you are well on the way of maximizing the ROI of your security spend.
Do you need help defining your cybersecurity strategy and budget for the year? We’ve put together a Cybersecurity Strategy Planning Tool to help you get started! The tool is focused on 5 main areas that will help you define your cybersecurity needs and risk appetite, guide your spending efforts and maximize ROI of your cybersecurity initiatives.