Cyber Security Budgeting - Finding the Right Balance
In the world of cyber security, budgeting is far from a one-size-fits-all formula. Various factors will come into play when determining the right investment for your organisation’s security needs. Let’s delve into some key considerations that can guide the decision making process.
Understanding the landscape
A report by Deloitte highlighted that, as of 2020, around 10.9% of IT budgets were dedicated to cyber security, averaging roughly around 0.48% of an organisation's revenue. This was an increase from 10.1% and 0.34% over the previous year.
So for an organisation turning over £5 million per year, somewhere around £24,000 would be spent on cyber security per year. The question remains: is this a significant figure, or is this insufficient given the emerging threats and evolving landscape?
With economic uncertainty faced by many organisations globally, it’s certainly a tricky time to be thinking about where to spend. This article in the Wall Street Journal signifies the impact of the current economic climate on cyber security budgeting. It found that CISOs and other executives are being more selective of what cyber security services they purchase due to slashed budgets, with many preferring to spend on platforms that solve multiple issues at once.
Cyber security expert Phil Venables recently published a strategic approach on the topic, thinking in terms of supply and demand.
Supply and Demand:
Supply simply encompasses the resources to meet the demand - people, services, products or other expenditures. The demand might be tasks such as reviewing and mitigating risks on a new business product, handling vulnerabilities, investigating potential incidents, onboarding new vendors or new technologies and so on.
The goal is to balance supply and demand, ensuring the resources fit the demand. The problem most organisations face is that most demand is outpacing the supply, due to business growth, IT changes, new threats and vulnerabilities and other drivers.
Venables argues you have to look at all sides of the problem:
Demand Side Management:
Decrease demand by adjusting risk appetite. Redefine what you think is important, prioritise by the most critical assets, define what actually is critical and the scope of your security program.
Decrease demand by the wholesale elimination of risk. Essentially risk avoidance by potentially removing certain business services, products, vendors or whole classes of technology. For example, decreasing how many privacy critical systems you need to protect by removing critical data from them, allowing you to consolidate across a smaller number of protected systems.
Supply Side Management:
Increase resources. Simply ask for more budget. Many organisations however focus on this without looking at the demand side or alternative supply side approaches.
Increase resource efficiency. Increasing the leverage of resources you already have. This may be scaling processes better, increasing employee training and so on.
Consequences of supply side deficit. If you can’t balance supply and demand then you have a supply-side deficit.
You either have the supply to meet demand or you build up a risk deficit that needs to be formally accepted.
This approach would allow you to consider the demand that your organisation has and what are the important risks, allowing you to then see what supply you have/need.
Tailoring your approach
The right budget will also depend on your organisation’s unique context. Factors such as size, industry, legal requirements, budget constraints and threat landscape would all play into consideration when determining the X figure for your organisation.
Your organisation’s size will play a role. An organisation consisting of 5 people probably does not require a SOC (Security Operations Centre). Likewise, an organisation of 100 may need a much larger-scale security training and awareness program, due to an increased attack surface that naturally emerges from having more employees.
Legal requirements will highlight some security requirements you might be obliged to meet. You may fall under data protection laws, such as GDPR, meaning the way you process and store information would have to follow its guidelines. It is important to be aware of what requirements you must meet, and ensure that you are compliant.
Budget constraints will be a widespread concern, given what we have seen reported in the Wall Street Journal. The economic instability may not have organisations thinking about managing cyber risk due to the perceived costs. Fortunately, there are many low-cost options a business can follow. The idea is to create a secure culture within the organisation. Training and awareness programs are relatively cost effective. Furthermore, there may be some free/low-cost security settings within assets you use, such as your email platform, that simply require configuring.
The threat landscape is one to always keep in the loop. It is important to know what threats can actually impact your organisation and to what degree. This is why risk assessments are popular, they allow you to estimate the likelihood and impact of a threat. This is where your risk appetite will come into play. What risk can you accept? Anything that you cannot accept, what is the likelihood and impact? What steps are you going to take to address this risk?
Prioritising your assets is important within the risk assessment phase. How does the CIA triad (confidentiality, integrity and availability) of the information on these assets matter to your organisation? This allows you to clearly define the critical assets, and allows you to prioritise security controls that are needed to protect them. For example, you may have an AWS environment that always needs to be available, this will then indicate that the criticality of this asset is far greater than a communication channel such as Slack.
What makes cyber security a complex area to tackle is usually that it’s jargon-ridden and is essentially a constant game of whack-a-mole. You can never guarantee “100% secure”, which might make you ponder why even bother? However, cyber risk reduction provides necessary resilience against threats within the digital landscape.
Cyber security isn’t a one-time investment. Threats are constantly evolving, new threats are spawning so you have to stay vigilant, which unfortunately does incur continuous costs.
The good news is that for the last few years, the main threats tend to remain relatively the same. Verizon’s Data Breach Investigation Report (DBIR) always tends to have stolen/compromised passwords, phishing emails, exploited vulnerabilities and ransomware ranking high every year. These would be good starting points, and there are some actions within managing these threats that can be done with little effort/cost. The effectiveness again will depend on your context.