Optimizing Your Cybersecurity Budget

Strong cybersecurity comes at a price. The exact amount depends on your risk tolerance.

John Edwards, Technology Journalist & Author

December 6, 2021

4 Min Read
pink piggy bank representing budget and directional arrow on where to spend budget
Andriy Popov via Alamy Stock

“Money should be no object when it comes to cybersecurity” is a phrase often uttered by people who generally know very little about money and even less about cybersecurity.

Actually, money does matter. It matters a lot. If money didn't matter, even the most modest enterprise could hire a team of experts to work around the clock to build, operate, and maintain a military-grade cybersecurity infrastructure.

The truth is that cybersecurity, like any other business operation, has to follow a budget.

Budget Optimization

Security budgeting can be challenging since the vulnerability landscape changes daily. “We, as a cyber practice, do not believe there is a single magic software or platform,” says Rahul Mahna, managing director, managed security services, at risk and regulatory compliance advisory firm EisnerAmper Digital. He suggested creating a budget that adheres to three distinct visions: past incident reflections (to prevent repeating previous mistakes); current security needs; and future plans.

All cyber events and impacts aren't equal, nor are organizations equally able to defend against and recover from them. “We advise leaders to optimize cybersecurity spend by first working to quantify the risk unique to their organizations in specific dollar terms,” says Andrew Morrison, US cyber risk services strategy, defense, and response solutions leader at business advisory firm Deloitte. Cyber risk quantification allows leaders to calculate expected losses from a cyber event in dollar terms. “Through bespoke modeling and scenario simulation, it's possible to determine fairly accurate estimates of financial loss that could result from a cyber event -- and to help determine how cyber spend should be allocated and prioritized to more impactfully address those specific risks.”

Avoiding Pitfalls

Many organizations start building their cybersecurity budget under the faulty assumption that they will probably never be attacked. They then believe they can safely minimize their cybersecurity investment. “I can think of thousands of companies that felt the same way,” says Alan Brill, senior managing director of the cyber risk practice at governance and risk advisory firm Kroll. Most eventually learned -- the hard way -- that attacks can hit any enterprise at any time.

It doesn't matter if an enterprise has a high, medium, or low profile, since attacks are frequently random and/or automated. In many cases, it's like being a duck in a shooting gallery. “If you're using particular software, and that software has a previously unknown security vulnerability, you can be successfully attacked,” Brill warns. “There are no guarantees.”

One of the biggest mistakes enterprise leaders make when building and allocating their cyber budgets is taking a “peanut butter approach -- spreading funds equally across all cyber domains in an attempt to broadly mitigate risk, Morrison, says. “The challenge with the peanut butter approach,” he explains, “is that organizations stand to underinvest in areas that actually pose the greatest risk while overspending in less risky domains.” For example, in some organizations the security of the supply chain, and its underlying operational technology, may be more critical to business operations than the security of a cloud transformation effort.

Mahna says his clients typically become interested in cybersecurity only when there's a compelling reason to begin the conversation. “Clients then aggressively move to have lengthy discussions and want to fill the many gaps that we identify with risk-based solutions,” he explains. Then ... absolutely nothing happens. “At this juncture, there's usually a 'pause of complacency' that sets in,” Mahna notes. “We call it the ‘run fast and go nowhere’ mentality.”

Since nothing awful happens during the pause, the client typically begins to think: “So why spend this money if everything appears fine? They completely forget the original compelling reason why the conversation started,” Mahna says. “That’s usually the biggest mistake and, usually, when a negative cyber event occurs.”

Building Support

Winning management support is an essential step toward creating a realistic and effective cybersecurity budget. “It can be really tough for cyber teams to prove a negative -- that there’s value in a large cyber spend if revenue hasn't been lost as the result of a cyber event,” Morrison explains. “However, when cyber teams have justifiable models to demonstrate the likelihood and impact of potential cyberattacks specific to an organization’s unique and current threat profile, it can help paint a clearer picture to the rest of the C-suite, board and other stakeholders on the value of the true cyber investment required.”

Cybersecurity Budget Takeaway

Budgeting for cyber defense, managing risk, and preparing for an incident is simply a part of doing business in the 21st century, Brill observes. “Recognizing that an incident may occur, and result in charges that were not budgeted for, is a reality that every organization must recognize and plan for.”

Related Content:

The Cost of a Ransomware Attack, Part 1: The Ransom

CIO Agenda: Cloud, Cybersecurity, and AI Investments Ahead

Where IT Leaders Are Likely to Spend Budget in 2022

About the Author

John Edwards

Technology Journalist & Author

John Edwards is a veteran business technology journalist. His work has appeared in The New York Times, The Washington Post, and numerous business and technology publications, including Computerworld, CFO Magazine, IBM Data Management Magazine, RFID Journal, and Electronic Design. He has also written columns for The Economist's Business Intelligence Unit and PricewaterhouseCoopers' Communications Direct. John has authored several books on business technology topics. His work began appearing online as early as 1983. Throughout the 1980s and 90s, he wrote daily news and feature articles for both the CompuServe and Prodigy online services. His "Behind the Screens" commentaries made him the world's first known professional blogger.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights