“How much should I spend on cybersecurity?” It’s a question our customers ask us time and time again. Unfortunately, there’s no simple answer, because what works for one business doesn’t necessarily work for another. Finding the right spend depends on a multitude of factors including the size of your budget, your risk tolerance, your current security capabilities, and executive support.
Based on years of experience working with hundreds of businesses like yours, we’ve compiled a three-step list to guide you through the budget planning process. Because if you do the work up front, your cybersecurity spend will become money well spent.
Know the difference between upfront and actual spend
Spending on IT security should be viewed as an investment opportunity, not a business expense. And like all good investments, it’s about playing the long game if you’re to see a significant return.
Budgets are set long before they’re realised in results, and it’s the nature of the beast that successfully preventing a cybersecurity attack doesn’t come with a notification. That’s why a large proportion of businesses treat IT security as an expenditure that they’d rather do without, choosing instead to minimise ‘costs’ and run the risk of cyber-attack further down the line. This strategy works brilliantly … until you’re the victim of cybercrime.
Minimal upfront investment leads to ‘panic spending’ in the aftermath of an attack. In a bid to clean up the mess, businesses will throw money at sub-par remedial solutions and tie themselves to new products and services that eat into the bottom line long after the event.
Conversely, upfront, proactive investment prevents excessive expenditure further down the track, and even adds value, or acts as a key differentiator, to your business’ service or product.
A great starting point for planning a budget is to use hypotheticals. Work backwards from a security breach: what would happen if your business was attacked? How much money would you lose - whether through stolen funds or loss of employee productivity? What would it cost to remedy the situation?
Hypotheticals make a great business case for increasing your security budget, especially when we consider the impact of a security breach beyond a budget blow out. Would a security breach damage your business’ reputation? Would your customers and end-users lose confidence in your business? What are the ramifications of client data loss?
Prioritise your spend and protect the crown jewels
The practicalities of business mean that increasing the cybersecurity budget is easier said than done. All budgets have a cap, and we’re more or less confined within them.
One workaround is to identify the ‘crown jewels’ of the business and allocate your security spend accordingly. Does your business handle highly-confidential and sensitive information such as medical records or banking details? What’s the likelihood of a security breach attracting national or even international attention?
Identifying your crown jewels will set the foundation for your business’ security strategy and help you to understand where your priorities lie, and what your risk tolerance is.
Spend smarter and enlist the help of a professional
Throwing more money at one area risks diverting it away from another. Rather than exposing yourself to risks deemed medium or low priority, get more value from your money by reapportioning your security spend.
This involves finding better ways to invest your money so that you can still reach your desired expectations without necessarily spending more.
Generally speaking, spending on cybersecurity is apportioned across IT staff, software and hardware, contractor support and outsourcing of services.
A small business that can’t afford to hire more staff will benefit from outsourcing their security instead, while larger organisations may get more bang for their buck by automating their existing security controls and processes rather than buying more software.
This can be an arduous task, and it often helps to work with an external security provider to provide expert recommendations on how to apportion your spend. An external provider like Origin Security will identify the vulnerabilities in your current security setup, the security threats that are putting your organisation at risk, and the solutions and strategies you should implement that will guarantee your security spend is money well spent.