Guide to Setting–and Selling–a Cybersecurity Budget Amid COVID-19

Author: Crypsis | A Palo Alto Networks Company October 14, 2020

Man at computer securing a cybersecurity budget

Most companies realize that they need to take at least some action to protect against cyberthreats. With the global cybersecurity market surpassing $100 billion in 2019, it’s clear that these initiatives can be costly. So how do you know how much you should be spending? It’s difficult to predict exactly which threats you might need to overcome, and it’s equally tough to forecast the financial impact cyberattacks might have. Changes to everyday life present additional challenges, such as the COVID-19 pandemic, and can drastically affect how we do business and the types of threats we face.

Thankfully, you don’t have to go into the budget setting process completely unarmed. There are several informational resources that can help you decide how much to spend and where to allocate your funds. A great place to start is compiling key data regarding areas such as compliance requirements, overall IT budget, and industry averages, which will make it far easier to sell your budget to firm executives.

In this blog, we will first examine key cybersecurity budget trends we’re seeing in 2020. We’ll then reveal the main factors you should consider when setting and selling your own budget.

2020 Cybersecurity Budget Trends

Understanding general shifts in cyber spending across a range of industries can help identify and justify your proposed cybersecurity budget.

Let’s start with how businesses are planning to alter their cybersecurity budgets in 2020. The ESG Master Survey Results: 2020 Technology Spending Intentions Survey found that 55 percent of organizations plan to increase their IT budget this year.

While 36 percent will maintain their existing cybersecurity budgets, 62 percent will increase their cybersecurity spending.

What are businesses basing their numbers on? CISCO’s study, Securing What’s Now and What’s Next: 20 Considerations for 2020, found that 61 percent of organizations allocate security spend based on outcome-based objectives and metrics; 54 percent base their figures on the previous year’s budget; and 53 percent look at cyber insurance as a key factor.

The same study found that organizations are spending more on preventive versus reactive measures. It also reported that teams are increasingly outsourcing, which could indicate that cybersecurity systems are becoming too complex or broad in scope for in-house personnel to manage.

“Our respondents are outsourcing for a variety of core reasons, and it’s not only cost. Cost efficiency is marginally ahead as the number one reason at 55 percent. However, it's quickly followed by security teams that want more timely responses to incidents (53 percent).” (Source: CISCO)

Factors to Consider When Determining Your Cybersecurity Budget

In addition to general spending trends, an in-depth assessment of the following factors can help you determine what you should be spending on cybersecurity as well as sell a proposed budget to senior leadership:

  1. The organization’s attitude toward cybersecurity
  2. Compliance considerations
  3. Your overall IT budget
  4. Industry-specific spending averages
  5. Specific technical and organizational changes needed
  6. Anticipated return on investment

Let’s delve into these in a bit more detail.

1. Attitude Toward Cybersecurity

One of the first considerations is often overlooked. Companies have differing attitudes toward cybersecurity, and these perspectives will greatly sway how much leadership is willing to spend. For example, the EY Global Information Security Survey 2018-2019 found that larger companies are more likely to increase their information security budgets than smaller ones.

Predictably, companies that have experienced a damaging data breach in the past are more likely to be willing to invest larger amounts of money in data security efforts.

EY reported that 76 percent of companies increased their budget after a serious breach.

EY Global Information Security Survey 2018-2019Source: EY Global Information Security Survey 2018-2019

Here are a few general approaches that may describe your company:

  • Entirely reactive: There’s virtually no upfront spending on cybersecurity and all investments are made reactively, following cyber incidents. While these companies save in the short term, this approach could end up being more costly in the long run.
  • Meeting industry standards: The organization does what is required to meet industry regulations and keeps spending on par with industry averages.
  • Calculating risks: Cybersecurity spending is based on understanding the threats the company might face and reducing the risk of its vulnerability to attacks. This approach typically equates to higher spending.
  • Proactive: The organization is very security focused, is proactive in testing vulnerabilities regularly, conducts non-compulsory regulatory frameworks, and builds a culture of security awareness. These companies may even use their cybersecurity prowess as a key differentiator; typically the highest cyber spend category.

Understanding your organization’s general attitude is helpful, in that you can identify whether further education is necessary in instructing leaders and the board on the importance of being proactive in security approaches. Education can come in the form of meaningful data statistics on the cost of breaches and rising threat activity within organizations and your sector.

2. Compliance Considerations

Another critical factor in the budget-setting process is understanding what you are required to do in terms of cybersecurity. If your company is under compliance constraints, such as being required to comply with HIPAA (Health Insurance Portability and Accountability Act) or GDPR (General Data Protection Regulation), this would mandate activities and associated  costs.

The driving principle behind many regulations is protecting consumer data privacy and security. For example, HIPAA ensures that health organizations handle ePHI (electronic Protected Health Information) securely. They must apply the proper administrative, technical, and physical security controls to safeguard data while it is in use, in transmission, or at rest.

Similarly, the GDPR outlines data protection standards that must be followed by any entity that processes the personal data of EU citizens or residents (whether or not the entity resides in the EU). Principles cover purpose limitation, data minimization, and accuracy, among other areas.

General Data Protection Regulation

Many industries have sector-specific, compulsory requirements, and budgets should factor in any that apply to you.

Note: regulatory compliance may not equate to a solid cybersecurity strategy by default. Regulations can be slow to catch up to what is happening in real-time, and frameworks can be limited to specific areas of focus, so meeting them should be considered the bare minimum when deciding how to protect data.

3. Overall IT Budget

Cybersecurity is often accounted for as a portion of a company’s IT budget. According to Frank Dickson of International Data Corp. (IDC), organizations should consider allocating 7–10 percent of the IT budget to data security (Source: CSO).

It appears that companies are heeding this advice. The 2019 State of the CIO survey found that businesses spend on average 15 percent of their total IT budget on IT security.

So what do the numbers equate to? The CSO US State of Cybercrime 2018 report found the average IT security budget increased from $11 million to $15 million in 2018. Of those surveyed, 15 percent of companies had an IT security budget over $10 million and 37 percent had a budget less than $250,000.

But these percentages aren’t hard-and-fast recommendations; allocations should also be determined by the company’s willingness to assume risk, the amount of sensitive data you process, and the industry within which you operate, which can determine a greater or lesser degree to which you are likely to be targeted by threat actors (more on this to follow). But, keep in mind, no sector is immune to attack, and threats are an ever-present risk that can be extremely costly.

4. Industry-Specific Cybersecurity Spending Averages

General trends are helpful, but it’s even more useful to find out about cybersecurity budgets within your industry. By examining industry averages, you can get an idea of what competitors are doing. In particular, you should pay close attention to those that appear to have successful cybersecurity strategies.

That said, obtaining industry-specific cybersecurity spending data isn’t always easy. In the absence of studies providing the information you need, you may have to rely on news reports and press releases to try to deduce what’s happening behind the scenes.

To make things simpler, you could instead look at data on cybersecurity costs for your industry. It makes sense that industries suffering higher damages should be spending more on cybersecurity.

Take this chart from Accenture’s 2019 Cost of Cybercrime Study, showing the cost of cybercrime by industry.

Source: Accenture’s 2019 Cost of Cybercrime Study

Based on this, you can conclude that firms in the banking and utilities industries should be making more significant investment in proactive security measures. 

5. Specific Technical and Organizational Changes Needed

Even if you’ve based your total budget on industry averages, throwing out an arbitrary number isn’t helpful in practice. Instead, you can work within that total to decide how much can be allocated to specific changes that need to be made.

Aside from helping you set a reasonable budget, this is useful in two major ways. First, it forces you to devise a thorough, proactive cybersecurity strategy. Second, it equips you with the information you need to sell the budget to others.

When outlining your budget, be specific about what changes you need to implement and allocate anticipated costs to each change.

For example, do you need staff, hardware, software, training, or fully managed security services? The more detail you include in your plan, the better. If you don’t know what your cybersecurity gaps are, an initial investment of conducting a cybersecurity assessment is a powerful tool; it can help you justify your budget spend recommendations by pointing to areas that require prioritized focus. If you’re fairly new to cybersecurity planning, you may also want to consult NIST, CIS Controls, and other frameworks that can serve as a guide.

As part of your plan, you might consider comparing the costs of various methods for executing select parts of your strategy. For example, for many companies, it will make more sense to outsource certain tasks than to hire additional personnel.

6. Anticipated Return on Investment

Accurately determining return on investment when it comes to cybersecurity can be difficult. As mentioned, there are many unknowns with regard to the threats you might face and the damage they can do.

However, you can look at historic company and industry data to help you come up with some realistic numbers. Of particular interest will be the number and severity of attacks as well as the costs associated with them. When looking at company data, analyze past incidents in terms of how much you could have saved if certain changes had been implemented sooner.

To be proactive, you can examine trend predictions to see how you anticipate costs might be impacted in the future.

Try to put a monetary value on existing and future data assets and use hypothetical data to analyze the costs associated with possible future incidents.

Note that using this approach—and trying to mitigate every risk—can easily result in overspending. As such, you also need to try to identify the point of diminishing returns.

Consider Cybersecurity Services

Setting a cybersecurity budget can be an overwhelming task, especially when you’re required to plead your case to those controlling company funds. By following the advice above, you can take an analytical approach to the problem and leverage the use of internal and external information to your benefit.

Do you need more help in setting and selling a cybersecurity budget? Get in touch with a trusted advisor today and learn why Crypsis has been named a top ten digital forensics company.



Topics: Security Insights