How to Budget for Cybersecurity Effectively
The threat of cybercrime isn’t just going to get bigger, it’s going to make history.
That’s the message coming loud and clear from experts like Cybercrime Ventures Magazine. They have forecast damages from cybercrime to double by 2021—reaching a staggering $6 trillion per year. Editor-in-Chief Steve Morgan noted that this will be “the greatest transfer of economic wealth in history,” even outstripping the illegal drug trade.
The incredible damage from cybercrime threatens investment and innovation. Add the increasing threat to data security and it’s easy to see why companies are spending more on their defenses: the total amount spent on cybersecurity from 2017 to 2021 will be greater than $1 trillion, per Morgan’s analysis. And these alarming facts and statistics from 2019 can give us something to think about.
Step One: Get a Bigger Budget
While damage from cybercrime is vast, and while there is a huge amount of money going toward protection, business owners still often struggle to fund reasonable security budgets. In fact, 86% of respondents to a poll from security researcher Neil Weitzel of security firm Cygilant said that cybersecurity was not receiving enough funding at their firms. The survey also revealed that under 10% of the average IT budget was being directed toward security.
So how do you get a bigger security budget? Weitzel suggests a thorough assessment of valuable assets. Then highlight those areas of greatest concern through a periodic risk assessment. Underscore how those risk assessment findings guide you toward strengthening your protection. Finally, get to the point: state the budget does not currently have room to strengthen these key areas.
Step Two: Use Security Scorecards
Security scorecards—checklists of potential vulnerabilities and assessments of risks—can help. After all, much of what is difficult about security and compliance is communication. Managers and leadership may know what the business assets are, and that compliance, business continuity, and disaster recovery are key priorities for the company. However, you must be able to make your security recommendations readily understood.
For example, for incident response, you can have a security scorecard set up for each solution in this system. Also note that scorecards should contain details, the information from the assessment that backs the score—to help justify budget items.
Scorecards are a way for security pros to help communicate budgets in terms of business goals, such as preventing breaches to maintain business credibility. Rishi Bhargava, the co-founder of security orchestration firm Demisto, promoted the use of security scorecards. He points out their true scope: “Digital risk management touches every department,” Bhargava says, “from human resources to marketing, and cybersecurity products must contribute to helping the business achieve its overall goals.”
Step Three: Categorize to Prioritize
It can help you budget when you think in terms of categories. For cybersecurity, three of the top priorities are:
- Detection & response
- Business continuity & disaster recovery (BCDR)
Enterprise security analyst Eric Parizo noted that estimates have historically shown businesses spend more than three-quarters of their budgets for cybersecurity on prevention. Spending so greatly on that area does not leave much of the budget for other aspects of security.
Prevention will not stop everything. For example, a hacker might breach your system and install malware on your servers. Before something like that happens, you’ll need to consider how you can protect against such attacks. In order to devise a complete defense strategy, consider diverse categories.
Here are three key categories to consider, with some of the most common elements and why the category is a priority, as highlighted by WatchGuard Technologies CTO Corey Nachreiner:
1. Business continuity disaster recovery (BCDR)
- cloud-hosted systems
- backup systems
- cyber insurance
Why it’s important: BCDR solutions enable an organization to recover data and systems following a breach or other unforeseen calamity.
2. Detection and response
- security information and event management (SIEM) systems
- endpoint detection and response (EDR) systems
Why it’s important: Parizo specifically noted that this category of security is often overlooked; however, he sees businesses transitioning to a budgeting model with much more substantial detection and response spending. These often-neglected tools are used to recognize and learn about malware or cyber attacks that may thwart your protections. They also allow you to clean up the impact if your network is compromised.
- cloud-hosted email filtering systems
- advanced malware protection systems
- intrusion prevention systems (IPSs)
Why it’s important: While you want to consider all angles of cybersecurity, you still want to do whatever you can to prevent issues in the first place. These solutions identify and block threats before they strike.
Ready for Anything
The threat landscape remains a minefield for businesses, just like individuals. So, making the greatest use of cybersecurity budgets is a shared need. By effectively making a case for a larger budget, implementing security scorecards, and going beyond prevention in categorizing solutions, you can leverage your funds for the strongest possible defense.