One of the big questions that the Knogin team frequently hears is: “how much does cyber security cost?” This is often followed by: “Is cyber security worth including in my annual budget?” The short answers to these questions are:
- However much it takes to put into place the systems and processes you need to minimize your cyber security risks; and
Many organizations can operate fine without super-extensive cyber security measures. However, others may need to increase their cyber security spending to meet industry regulations or to avoid information security breaches from specific threat types.
There is often resistance to increasing the cyber security budget, as many organizations have the mindset of “if nothing’s happened yet, it isn’t worth worrying about it.” They see cyber security spending as an unnecessary expense that doesn’t do anything to help the business’ bottom line. Yet, improving the budget for cyber security is often worth it for reasons beyond minimizing IT security risks.
Why Cyber Security Spending is Worth It
So, why is setting aside a budget for cyber security worth it for your business? There are numerous justifications for and benefits of having a strong cyber security program, including:
- Meeting Key Regulatory Requirements. Many industry regulations stipulate the use of specific cyber security measures (or appropriate substitutions that meet the same security goals). So, budgeting for the inclusion of these security tools is often a necessity.
- To Boost Investor/Customer Confidence. In today’s cybercrime environment, news about data breaches is near-constant. Companies that suffer such breaches often lose the trust of their customers and investors—which negatively impacts their bottom line. Proactively working on your cyber security budget to improve information security can help to bolster confidence among investors and consumers—strengthening long-term financial performance. For example, if a competitor suffers a breach, and your organization can demonstrate how your cyber security measures would keep similar breaches from happening, you may be able to capture some of that competitor’s now-jaded clientele.
- Security Measures Don’t Have to Be Expensive. A common misconception about budgeting for cyber security is that effective security is always expensive. This couldn’t be farther from the truth. In fact, there are many free security tools for businesses that you can use—making it easy to justify in your cyber security budget since the only cost for their use is time.
- Preventing One Incident Can Pay for Your Entire Security Budget. If spending $10,000 on cyber security could save you $100,000 dollars in security breach remediation, would you say it’s worth it? While the ROI for cyber security isn’t so easy to define (as it’s hard to measure the impact of something that hasn’t happened yet), the IBM Cost of a Data Breach study noted that the average cost of a data breach was around $3.9 million in 2019. If increasing the budget for cyber security could prevent just one security incident, odds are that it would pay for itself.
Getting the C-Suite to Approve a Cyber Security Budget
Knowing how important information security is and how much of an impact a strong security program can have, how can you sell a cyber security budget increase to your business’ leadership? Not so long ago, we wrote an article about how to get management buy-in for cyber security planning. Many of the same tips apply here as well:
- Don’t Rely on “Fear and Doubt” Messaging. When pitching a cyber security budget to senior leadership, many people make the mistake of focusing on “fear and doubt” messaging. They talk at length about potential consequences and impacts, only for their leaders to go glassy-eyed with boredom. While highlighting threats is necessary and useful information, it’s important to include more positive messaging. Instead of saying “not having cyber security will cost us X dollars,” you can say “leveraging these cyber security tools can save us X dollars while improving customer confidence and safety.”
- Avoid Cyber Jargon. “The SIEM tool can help us spot SQL injection activity in our system kernel.” To an IT expert, that might make some sense. To anyone else, it’s a word salad that’s incredibly hard to digest. Instead, saying something along the lines of “this security tool can spot a type of cyberattack that is often used against others in our industry and reduce our risk” is much easier to understand. When pitching a budget for cyber security, it’s important to know who your audience is, what they care about, and what kind of information they’ll find useful.
- Build a Rapport. It’s unfortunate, but true: leaders in a business are more likely to listen to a trusted advisor who is a non-expert over a stranger who is an authority in the field. If you’re serious about increasing your cyber security budget, you need to build a long-term relationship with the decision-makers in your organization. Building trust helps ensure that your audience will actually listen to your ideas rather than immediately dismissing them and focusing on other priorities.
- Provide Resources and Analytics. Even if you don’t think the execs will need to see a report, it helps to have one handy to give out. Additionally, providing some recommended reading on cyber security can help them understand the importance of budgeting for an information security plan. Having analytics and resources on hand helps demonstrate that you know what you’re talking about, and have prepared accordingly—even if the execs don’t actually read the resources.
How to Budget for Cyber Security
Okay, say you’re getting ready to present a cyber security budget to your executive suite—how can you make sure your budget provides the optimal level of protection at a reasonable cost?
Here’s a quick summary of how to budget for cyber security to help you out:
- Assess Your Cyber Security Risks, Assets, and Resources. Before you can create or modify your cyber security budget, it’s necessary to have a firm grasp on what you need to protect, what your biggest risks are, and what your existing security resources are. This means running an assessment of your assets, resources, and security risks before working on your budget. This will help you identify the smallest changes that will make the biggest impact.
- Align Your Cyber Security Budget/Plan with Your Goals. What does your business need to accomplish? What are its goals for customer service, user experience, breach prevention, etc.? Your choice of cyber security tools may be influenced by your business’ goals. So, it’s important to make sure you account for this in your budget planning.
- Consider Your Employee Training Needs. Simply creating a new cyber security plan and budget doesn’t guarantee that your employees will know how to follow it. Employee training is a critical part of any cyber security budget, and should be accounted for up front. Take a tally of your business’ employees, set goals for them, and consider how you’ll distribute cyber security training to them. This helps you maximize your ROI for your security budget by ensuring that everyone knows how to follow the plan.
- Remember to Budget for Emergency Situations. Odds are that an incident response plan will be a key part of your cyber security planning. Leaving some spare room in the budget for overtime, emergency services, and other costs associated with your response plan is important for avoiding cost overruns.
Need more help securing your business? Try out CyberEasy for Business, our early detection tool which helps you minimize cyber security costs by spotting potential security issues early! Also, you can subscribe to our blog for more cyber security news and tips.