In most organizations, budgets for cybersecurity compete against other IT initiatives as well as projects and solutions that will generate revenue for the business. Security initiatives rarely show a direct return on investment unless the initiative is geared towards process or operational improvements that may reduce costs so how do you demonstrate and justify a proper security budget?
Research reports frequently provide statistics that detail the average cost of a data breach or the cost per breached record and it may be tempting to use these numbers to estimate security budgetary requirements or to motivate your executive management or board of directors into action. While these reports can provide some valuable information in regards to the threats, the numbers they provide are generally not useful or intended for planning a security budget. There is no “average” company or data breach and estimates of the average cost per breached record vary greatly with widely published reports indicating a range anywhere from sixty cents to one hundred and fifty dollars per record. The statistics and averages that these reports provide are frequently used out of context in the media resulting in estimates that may overestimate and sensationalize the potential cost of the latest data breach.
“Before an organization can estimate a budget for cybersecurity, it needs to understand the risks and threats that it needs to protect against as well as the value of the assets that it needs to protect”
So if the numbers provided by the widely published reports are not useful for budgetary purposes what objective sources can be used to estimate a rational amount of spending and where to spend the money? Annual reports of public companies that have experienced a data breach can be a useful source of factual information. For relatively recent breaches the report should include the current financial impact of the incident as well as anticipated future costs. For incidents that are several years old the reports can be a valuable source of information regarding the overall total cost of an incident over an extended period of time. Many states have data breach laws that require companies to disclose data breaches and several web sites publish this information. These sites can be a great source of objective information that can provide background regarding the typical data breaches that occur on a regular basis rather than the high profile breaches that are usually covered by the media. Cyber insurance is becoming more and more common and reports issued by insurers are a great source of factual information. While Cyber insurance can be a valuable tool to help mitigate risk exposure the coverage must be carefully analyzed as most policies only cover direct financial losses, such as recovery and investigation costs, and do not address less tangible losses, such as an indirect loss of business or customers.
A certain amount of cybersecurity spending is mandatory. For example, companies must properly protect their data and systems so that they are compliant with all of the regulations that apply to their region or industry. They must also demonstrate appropriate due diligence so that they are not subject to lawsuits in the event of an incident. Beyond the mandatory spending the remaining spending is discretionary and like all spending it usually only makes sense to spend the money if the anticipated benefits outweigh the costs. If we assume that all of our legal and regulatory requirements are met by our mandatory spending it generally does not make sense to spend $200,000 of a discretionary security budget to protect an asset that would only result in a $100,000 loss if it was breached.
Before an organization can estimate a budget for cybersecurity it needs to understand the risks and threats that it needs to protect against as well as the value of the assets that it needs to protect. In some cases it may make sense to spend the majority of a security budget on highly valued assets while providing a lower level of protection or insuring less valuable assets. It is crucial to have a proper asset inventory of systems that clearly identifies the criticality and value of the key assets in order to properly analyze and rationalize security spending.
Security vendors may tell you that buying and implementing the latest new product or service is the answer to your security concerns, but in most cases it isn't the lack of a new product or technology that is the primary factor in a data breach. Ensuring that some basic security, compliance and risk management best practices are followed may yield a better return on investment compared to purchasing the latest new security product. As an example, prioritizing operational improvements related to asset classification, access control, encryption, and training may yield better results compared to investing in the latest new security product. In addition all threats, not just external, need to be considered when protecting assets. Spending $100,000 to provide extensive protection of a $500,000 asset against an external threat may make sense, but if the same asset could be easily compromised by a non-privileged insider then it is obvious that some significant control gaps may still exist and perhaps the $100,000 should be allocated differently.
Overall rationalizing spending requires a structured and analytical approach. A variety of resources should be used and the objectivity of each report or analysis should be carefully considered. Insider and outside threats as well as malicious and non-malicious actions must be considered and the benefits of improving existing procedure and controls should be carefully weighed against the purchase of new solutions.