Budgeting for Cybersecurity: Risk vs Reward
By Jules Campeau, CRO of NuData Security
Companies are facing an onslaught of cybercrime – everything from DDoS attacks to breaches to insider theft – and the numbers are staggering. Cyberattacks typically cost large businesses $861,000 and small business on average about $86,500, according to Kaspersky Labs. Jupiter Research is estimating that the cost of data breaches will reach $2.1 trillion globally by 2019. It is the frequency of attacks and the cascade of numbers which now makes this a CEO and Boardroom issue as cyberattacks could cause some major damage or even take whole businesses down.
Cross-sectional security budgeting
IT Security budgets are set to grow 14% on average over the next three years with small business spending as little as a $1,000 all the way to a million dollars for large companies. While some analysts like Cybersecurity Ventures predict that there will be a burst of spending – 12-15% year over year growth through 2021, Gartner Research reports that IT security spending will account for less than 5% of worldwide IT spending.
However, true organizational spending on IT security, risk management and business continuity is difficult to determine as it crosses a multitude of departments and the issue becomes muddy when various entities do not think security is part of their budget. Cross-departmental budget sharing is evolving in the digital era as security is touching every part of businesses from the top down. It is the lack of insight across the enterprise that leads to the inability to accurately assess security needs and budget.
The new mind set should be security is part of every departments’ budget and then look for projects with common goals and outcomes (customer experience and user authentication will often garner a budgetary line item), then each stakeholder contributes to a portion of the budget. You can also get more budgeting dollars by leveraging bottom line increases such as incentives for VIP customers, revenue increases, and spend increases throughout the customer lifecycle.
Gartner recommends starting with standardized budget information. With that measure in hand, teams should prioritize risk and make sure that procedures and technologies are in place to actively and properly service top security initiatives.
How much is enough?
Security spending does not equal security effectiveness as it takes some hard analysis based on business needs, processes and outcomes. Compliance and regulations can be used for justifying security and risk management budgets along with the pressure of threats that could result in branding damage, legal damage and more.
The main objective is to protect the organization from what hackers want most which is data, account information and personal information. Ensure that there is a layered security approach combined with best practices and real-time solutions that will alert IT teams to a breach as soon as possible and to have the tools to enact remediation immediately to mitigate damages.
Want to read more posts like this? See our full blog here.