This post was contributed by Chad Boeckmann, CEO of TrustMAPP
When it comes to cybersecurity spending and deciding, “How much is enough?” is the typical approach. But does your business simply meet compliance, or does your plan include a strategy to succeed?
Too often, companies look at cybersecurity as an insurance package and too often, view budgeting for cybersecurity as coupon shoppers would when stepping into a retail store on Black Friday. This approach, sometimes driven by CFO’s or CIO’s, unnecessarily leaves their businesses exposed or their cybersecurity staff without the proper people or tools to fight the battle.
As an example, ransomware recovery costs reach nearly $2M, more than doubling in a year according to Sophos. It is important to distinguish between recovery costs and all costs related to ransomware. If we look at IBM’s findings, the total average cost of ransomware from identification, containment to recovery was $4.62M, higher than an average data breach event. If your business has cyber insurance to transfer the direct financial risk, a successful attack can still lead to major reputational damage, lost customers/revenue, and legal fees that your insurance likely does not cover including impact to future revenues.
Take your complimentary Ransomware Readiness Assessment and determine if you are prepared.
If we look at other types of data breaches, not just Ransomware related, according to IBM’s study they show average data breach costs rose from $3.86M to $4.24M over the past 12 months reflecting a 10% increase year over year.
Ask yourself, “Is your cybersecurity performance improving more than 10% per year?”
How many of these loss events can your company afford in a given budget cycle? With regard to potential loss, an ounce of prevention is truly worth a pound of cure.
Plan Your Work and Work Your Plan
In our current socio-economic environment, managing cybersecurity to a budget is a recipe for failure. Let’s say your cybersecurity spend was a total of $1 million in 2020 this does not mean your budget should be 5-7% higher this year following the traditional budget approval process. We, as collective leaders, need to think more strategically about how the business will be meaningfully protected against future loss and align the dollars and project priorities appropriately. This begins by understanding the company’s cybersecurity performance based on a chosen set of controls to guide the organization and associated objectives the business has to succeed in the marketplace. Alignment of cybersecurity performance and business objectives is truly the intersection to understand and answer the question “How much is enough?” with regards to cybersecurity budget.
How much is enough
Let’s take a look at the Computer Economics IT Spending and Staffing Benchmarks 2021/2022. In summary, they breakdown IT Budgets for small, medium, and large companies which are categorized based on the size of their IT operational budgets:
- Small organizations are defined as those having IT operational budgets of less than $5 million
- Midsize organizations are defined as those having IT operational budgets of $5 million to less than $20 million
- Large organizations are defined as those having IT operational budgets of more than $20 million
With that piece of knowledge and context, we can then look at A Gartner Report that says companies they’ve researched spend an average of 5.6% of their overall IT budget on cybersecurity, with a range of 1% to 13%. This is also what we have seen on average with customers from varying industries. There are no one-size-fits-all budget guidelines, even within the same industry. Most financial institutions, for example, will spend on average 10% of their IT operational budget on cybersecurity according to a study from Deloitte.
Armed with the data and using the average of 5.6% of the IT operational budget on cybersecurity let’s look at what your company might be budgeting for cybersecurity using industry averages:
- Small organizations with IT operational budgets of $5 million or less and using 5.6% of the budget for cybersecurity will likely invest between $280,000 on the high-end and $56,000 on the low-end.
- Midsize organizations with IT operational budgets of at least $5 million but less than $20 million and use 5.6% of the budget for cybersecurity will likely invest between $1.12 million on the high-end and $280,000 on the low-end.
- Large organizations with IT operational budgets of at least $20 million and for bookend purposes, let’s use $100M on the top end of their budget. Again we use the average of 5.6% of the IT budget for cybersecurity and this indicates these companies will likely invest between $5.6 million on the high-end and $1.12 million on the low-end.
Now ask yourself, “Is this average budgeting really going to meet the business objectives of the company while maintaining a healthy cybersecurity performance?” To learn more about benchmarking, prioritizing, and budgeting cybersecurity visit: https://trustmapp.com pioneers in cybersecurity performance management since 2015.