In the world of cyber security, budgeting is far from a one-size-fits-all formula. Various factors will come into play when determining the right investment for your organisation’s security needs. Let’s delve into some key considerations that can guide the decision making process.
Understanding the landscape
A report by Deloitte highlighted that, as of 2020, around 10.9% of IT budgets were dedicated to cyber security, averaging roughly around 0.48% of an organisation's revenue. This was an increase from 10.1% and 0.34% over the previous year.
So for an organisation turning over £5 million per year, somewhere around £24,000 would be spent on cyber security per year. The question remains: is this a significant figure, or is this insufficient given the emerging threats and evolving landscape?
With economic uncertainty faced by many organisations globally, it’s certainly a tricky time to be thinking about where to spend. This article in the Wall Street Journal signifies the impact of the current economic climate on cyber security budgeting. It found that CISOs and other executives are being more selective of what cyber security services they purchase due to slashed budgets, with many preferring to spend on platforms that solve multiple issues at once.
Expert insights
Cyber security expert Phil Venables recently published a strategic approach on the topic, thinking in terms of supply and demand.
Supply and Demand:
Supply simply encompasses the resources to meet the demand - people, services, products or other expenditures. The demand might be tasks such as reviewing and mitigating risks on a new business product, handling vulnerabilities, investigating potential incidents, onboarding new vendors or new technologies and so on.
The goal is to balance supply and demand, ensuring the resources fit the demand. The problem most organisations face is that most demand is outpacing the supply, due to business growth, IT changes, new threats and vulnerabilities and other drivers.
Venables argues you have to look at all sides of the problem:
Demand Side Management:
Decrease demand by adjusting risk appetite. Redefine what you think is important, prioritise by the most critical assets, define what actually is critical and the scope of your security program.
Decrease demand by the wholesale elimination of risk. Essentially risk avoidance by potentially removing certain business services, products, vendors or whole classes of technology. For example, decreasing how many privacy critical systems you need to protect by removing critical data from them, allowing you to consolidate across a smaller number of protected systems.
Supply Side Management:
Increase resources. Simply ask for more budget. Many organisations however focus on this without looking at the demand side or alternative supply side approaches.
Increase resource efficiency. Increasing the leverage of resources you already have. This may be scaling processes better, increasing employee training and so on.
Risk Acceptance:
Consequences of supply side deficit. If you can’t balance supply and demand then you have a supply-side deficit.
You either have the supply to meet demand or you build up a risk deficit that needs to be formally accepted.
This approach would allow you to consider the demand that your organisation has and what are the important risks, allowing you to then see what supply you have/need.
The Cyber Ranch Podcast - Defining Budgets:
Cyber Security experts Allan Alford and Tim Rohrbaugh also shared their views on budgeting on a recent podcast.
Allan signalled that budgeting should be tied to specific risks identified vs specific businesses processes and/or assets determined by business impact analysis. You should sit down with business leaders and see what they care about most, what process is most valuable.
He believes we should be looking at risks in terms of impact and plausibility, not probability. Plausibility is more realistic. The risks we identified should be based on the assets we value.
Plausibility would be based on plausibility factor and impact based on business impact analysis, giving us the risks neatly lined up. This allows you to work out what people, processes and technologies are required to address this risk. The budget is now based on feedback from business on what matters, giving an aligned figure on what it takes to solve.
Tim has a slightly different opinion. From a bigger picture perspective, cyber security only exists because of criminals, remove the criminals and there is no reason to have a cyber team. When asking how much should a company spend? If you start with consequences it’s a slippery slope and undermine the profession as numbers don’t work out, they would need the consequences to actually materialise to see a ROI.
He goes on to explain that cyber security as a function will not be higher than IT. IT becomes the gauge for a cyber security budget. He recommends that 10% of the IT budget is a good place to start for a cyber security budget. However, the threat landscape always changes so you should adjust this budget accordingly.
He gives the analogy that your car insurance payment should never exceed car payment. Otherwise what’s the point, you might as well skip insurance and run the risk. In this view, cyber security is there to protect the IT, so why should it cost more than the IT.
Tailoring your approach
The right budget will also depend on your organisation’s unique context. Factors such as size, industry, legal requirements, budget constraints and threat landscape would all play into consideration when determining the X figure for your organisation.
Your organisation’s size will play a role. An organisation consisting of 5 people probably does not require a SOC (Security Operations Centre). Likewise, an organisation of 100 may need a much larger-scale security training and awareness program, due to an increased attack surface that naturally emerges from having more employees.
Legal requirements will highlight some security requirements you might be obliged to meet. You may fall under data protection laws, such as GDPR, meaning the way you process and store information would have to follow its guidelines. It is important to be aware of what requirements you must meet, and ensure that you are compliant.
Budget constraints will be a widespread concern, given what we have seen reported in the Wall Street Journal. The economic instability may not have organisations thinking about managing cyber risk due to the perceived costs. Fortunately, there are many low-cost options a business can follow. The idea is to create a secure culture within the organisation. Training and awareness programs are relatively cost effective. Furthermore, there may be some free/low-cost security settings within assets you use, such as your email platform, that simply require configuring.
The threat landscape is one to always keep in the loop. It is important to know what threats can actually impact your organisation and to what degree. This is why risk assessments are popular, they allow you to estimate the likelihood and impact of a threat. This is where your risk appetite will come into play. What risk can you accept? Anything that you cannot accept, what is the likelihood and impact? What steps are you going to take to address this risk?
Prioritising your assets is important within the risk assessment phase. How does the CIA triad (confidentiality, integrity and availability) of the information on these assets matter to your organisation? This allows you to clearly define the critical assets, and allows you to prioritise security controls that are needed to protect them. For example, you may have an AWS environment that always needs to be available, this will then indicate that the criticality of this asset is far greater than a communication channel such as Slack.
Continuous adaptation
What makes cyber security a complex area to tackle is usually that it’s jargon-ridden and is essentially a constant game of whack-a-mole. You can never guarantee “100% secure”, which might make you ponder why even bother? However, cyber risk reduction provides necessary resilience against threats within the digital landscape.
Cyber security isn’t a one-time investment. Threats are constantly evolving, new threats are spawning so you have to stay vigilant, which unfortunately does incur continuous costs.
The good news is that for the last few years, the main threats tend to remain relatively the same. Verizon’s Data Breach Investigation Report (DBIR) always tends to have stolen/compromised passwords, phishing emails, exploited vulnerabilities and ransomware ranking high every year. These would be good starting points, and there are some actions within managing these threats that can be done with little effort/cost. The effectiveness again will depend on your context.
If you would like some guidance, feel free to check out our free resources page or get into contact for anything else.