Budgeting and annual planning has always been a vital, though a potentially burdensome aspect of establishing a successful security posture. Organizations and management teams often consider information security as a cost since it doesn’t contribute directly to the bottom line. Hence it is crucial for security leaders and CISO to allocate effective budgets every year. So, let’s look at the best cyber security budget planning practices for 2021.
To Begin With
Regrettably, there isn’t a straightforward path to figure out how much one should actually spend on security. Every association or organization is different, and the amount varies based on the organization’s IT risk profile. Determining the risk requires a complete audit of your data and infrastructure. Until you figure out what crucial data you are storing, where it resides, and what would be the consequences of leaking or losing this data, it would be difficult for you to analyze the costs associated with a security episode. Identifying these costs will assist you to figure out a sensible amount to spend in order to prevent them. Remember “Data Availability” is equally important. Protection against downtime is as important as loss of data.
One must equally concentrate on any regulations your particular business has to adhere to. If your organization is into credit cards, you must meet the PCIrequirements. If you are into healthcare, you must adhere to HIPAA requirement. All these regulations have definite penalties and fines. These fees can assist you to the ultimate cost of a violation.
One of the simplest ways to be on the right track is to benchmark against similar firms. Many analyst organizations survey businesses on a regular basis and ask them the percentage of IT budget they spend on cyber security. The answers do differ broadly, but based on a survey done by Deloitte in 2019 the range lies somewhere between 6% and 14% of IT budgets, for an average of 10%. You can consider your security budget allocation against these numbers, but do not forget that your range solely depends on the extent to which your business relies on the size of the sensitive data you dwell with and the IT infrastructure. For instance, if your firm is an advanced IT company that deals with crucial intellectual property, customer and financial information will probably fit higher in that range. However, if your firm is more of the legacy type with minimal IT resources, you would generally be fine in the lower range.
Ponemon’s annual Cost of Data Breach Report breaks down the cost of a data breach based on company vertical, region, and the type of attacks every year. In reality, one of the most appealing stats from the report is the average cost of a breach per customer, which was $150 in 2020. This data gives you the ideal way to figure out the approximate cost of breach based on the number of customer records you can lose. Logically when you multiply the maximum cost of breach by its percentage of likelihood you get your max amount which you can set as the limit of your security spending.
The Impact of the Pandemic
The effects of covid-19 still continue to spread across the world. CISO’s must keep into consideration the accelerated shift in remote work since then. Though it will still take some time to completely understand how the pandemic will affect cyber security priorities and spending, there are high chances of the following two things to prove true,
1) There would likely be a rise in the per employee security amount. As per the 2019 report of IT Key Metrics Data, in 2018, the average security spend was $1,718 which when compared to the reports to 2012 showed a major 67% rise. Though the reports do not mention the exact cause of this rise, but it probably is related to the increase in remote work during that period. When at work, with the help of network perimeter many individuals can be consolidated under a shared perimeter security. However, when remote work comes in picture, each employee will need their own distinct protections. This too will be one of the reasons for the increase in security spends. The inimitable pandemic forced an overnight move to work from home options. Moving forward, this could faintly increase the per employee security spending.
2) The good news is; this pandemic would make companies rebalance their current budgets. Even though the increase in remote employees would amplify the cyber security budgets, there is still an option of supporting this growth by just strategically reallocating security spending.
Remote users, the office perimeter and cloud all require security controls, but your spending should ideally depend on where does your vital data reside, and the number of assets you have in each place. If you have more number of services in the cloud and more remotely working employees, you probably need to balance your current budget to prioritize that and vice versa. At the end, Covid-19 would either focus or amplify the budgets of the majority companies around endpoint and user-based defenses.
Take guidelines from the evolving threats
If you concentrate on the evolving threats closely, you can get guidelines to strategize and prioritize your security spending.
In 2016, when the ransomware exploded for the first time, you should have focused your budget on tools related to disaster recovery, backup recovery or the detection of malware to get hold of this vague ransomware. In 2019, and 2020, credential theft and spear phishing were out of control. This proved,” Hackers don’t break the system, they actually log in the system”. This year, particularly when everyone is working remotely, there is a need to concentrate your cyber security spending in shielding user’s digital identity by providing Multi -Factor Authentication solutions.
In any case, it is always crucial to maintain a pulse on the sprouting threat landscape, as the changes in the hackers’ operations will influence both your budget and spending.
Summarizing it all
The most crucial aspect of any successful budgeting cycle and security plan is to commence with proven risk measurements and impact estimations. Firstly, identify all the regulations that your business must stick to, as well as the linked penalties for compliance lapses and incidents. Perform a formal risk audit to register sensitive data and gauge the financial impact of any permanent or temporary losses. Refer cyber security budget standards for your employee count, average data breach costs and your business vertical.
If you do this right, you can settle on a decent budget for your company. However, do not forget to leave some space for your development and digital transformation. Even if cyber security doesn’t feel like a business enabler, avoiding threats is crucial for all modern business. Nevertheless, if implemented poorly, cyber security can obstruct business too. Do consider to build some extra cushion into your cyber security budget to assure you can implement some classy solutions that can make security easier, aid your digital transformation and shrink friction.