Making the Business Case for Cybersecurity
In today’s threat landscape, cyber risks are an unavoidable reality for almost all organisations.
Yet, cybersecurity still faces an uphill battle when justifying its place within the budget.
Even with the importance of cybersecurity slowly being recognised within the C-Suite, effectively planning the cybersecurity budget remains a serious challenge.
As digital transformation trends continue to grow, executive-level decision-makers and cybersecurity professionals alike must learn how to align cybersecurity policy with business priorities.
researchHQ’s Guide to Translating Cyber Risks and Threats into Business Metrics
Over the past few years, organisations across the globe have finally started waking up to the importance of cybersecurity.
Cybersecurity is finally beginning to see the budgetary recognition that it deserves. However, organisations lack confidence that their cyber budget allocation matches the most significant risks.
Building a cybersecurity budget is a challenging task. The success metrics, return on investment (ROI) and general relation to business development are often much less clear than in other areas.
While all the necessary metrics are present, it can often be difficult to quantify them until a worst-case scenario occurs.
At researchHQ, our team has hand-selected the most valuable and relevant content to help organisations align their cybersecurity and business priorities.
Planning the Cybersecurity Budget:
The big question when budgeting is often ‘how much is enough?’, check out BCG’s blog on whether you’re spending enough on cybersecurity to help answer this question.
Alternatively, if you’re struggling as to what exactly to focus on in this year’s cyber budget, Varonis has created a blog breaking down the top 5 budget priorities for CISOs in 2021.
Justifying Investment in Cybersecurity:
One of the hardest jobs for cybersecurity professionals can be tying cybersecurity needs into concrete business objectives. BitSight has put together a toolkit for reporting to the board.
Competing Within the Cybersecurity Budget:
For application security professionals striving to communicate the importance of their team, check out Veracode’s report on how to communicate application security success.
Table of Contents:
- Digital transformation trends have made cybersecurity a more pressing business concern than ever before.
- Despite growing recognition of its importance, organisations continue to struggle to build an effective cybersecurity budget.
- The most common mistakes made when formulating a cybersecurity budget stem from failing to invest in the areas most in need of attention.
- Successful cybersecurity budgets are built around thorough risk assessments and align closely with an organisation’s immediate priorities and long-term objectives.
How Does Cybersecurity Relate to Business Objectives?
Cybersecurity is no longer an option for businesses.
The recent rise of remote working has accelerated the accelerated cybercrime and put more pressure on cybersecurity professional than ever before.
Companies are tasked with protecting an increasingly distributed network of people, systems and data from an evolving threat landscape that grows more sophisticated by the day.
The global average cost of a data breach is $3.68 million. It only takes a single security incident to expose sensitive data or disrupt day-to-day operations.
To make matters worse, the potential financial, legal and reputational repercussions of such an event hit companies where it hurts the most; their bottom line.
Yet, cybersecurity continues to struggle to find a place within budget discussions and is often brushed off as an IT issue.
Digital transformation trends, the rise of remote working and the growing sophistication of cyber-attacks are forcing organisations to place more of a premium on cybersecurity and businesses. Yet, many continue to struggle to invest in the right areas.
As a result of the COVID-19 pandemic, 96% of executives have made efforts to shift their cybersecurity strategy, according to PwC’s 2021 Global Digital Trust Insights Report.
This figure might appear optimistic; however, 55% reported a lack of confidence that spending was being effectively allocated in the areas of most significant risk.
These figures suggest that boardrooms and the C-Suite are increasingly interested in where cybersecurity investments are going and the tangible results they generate.
Unfortunately, the benefits of a robust and sophisticated cybersecurity program are difficult to show and often only become apparent when things go wrong.
It should not take a catastrophic worst-case scenario to demonstrate the value of cybersecurity investment. Unfortunately, the other route is often an uphill battle.
Justifying Increased Cybersecurity Expenditure:
The first obstacle in garnering cybersecurity investment is the struggle of IT and security professionals to justify the increased expenditure to the C-Suite and Board.
Things have been getting a little easier in this area over recent years. Particularly in large enterprises with bigger budgets, the higher-ups are increasingly willing to invest in cybersecurity.
This does not mean, however, that there is no longer any struggle at all. A sophisticated cybersecurity program remains a daunting financial investment for many organisations.
In a period of immense economic turbulence and uncertainty, enterprises large and small are under substantial pressure to do more with less. While the past twelve months have emphasised the importance of cybersecurity, it has been just one of many competing urgent priorities for many organisations.
Cybersecurity may be a significant concern; however, it has to compete with multiple equally pressing priorities that are more demonstrably tied to clear returns on investment (ROI).
When defending or expanding the cybersecurity budget, highlighting potential threats is not enough.
Successfully garnering investment in a cybersecurity programme demands linking it to concrete business objectives and demonstrating a clear ROI.
Building a Cybersecurity Budget:
Once the investment in cybersecurity has been secured, decision-makers must avoid falling into a false sense of complacency.
Simply throwing money at the problem will not make it away. Cybersecurity spending should be carefully planned out and documented in a budget built around an effective risk management strategy.
Building such a budget can be a daunting task. It demands recognising a range of broad environmental factors, such as the evolving threat landscape and how these related to an organisation’s own unique goals and requirements.
In a market oversaturated with vendors offering ‘magic’ solutions, it is all too easy to fall into the trap of spending the right amount in the wrong areas.
When distributing funds, companies must find a balance between sophisticated technological solutions and cybersecurity fundamentals, such as regular cybersecurity training.
Common Cybersecurity Budgeting Mistakes:
No two organisation’s budget journey will be the same. For a cybersecurity program to operate effectively, it must be built around various organisation-specific variables. However, certain common mistakes should be avoided by all.
Despite the progress made in recognising the importance of cybersecurity, many cybersecurity and IT teams continue to struggle to gain the investment they need.
Yes, smaller organisations may be locked out of the more expensive cutting edge cybersecurity tools and services.
Equally, it is unlikely that they can afford to build a dedicated team of full-time cybersecurity professionals.
No matter how small an organisation is, it can afford to allocate a bit of time and expenditure towards simple but effective measures such as password hygiene.
A data breach or security incident that is damaging to a larger organisation could be completely catastrophic for smaller businesses.
It is worth noting that size is not always the limiting factor in constrained cybersecurity budgets. A false sense of complacency in organisations capable of investing in cybersecurity can lead to disaster.
No organisation is too small or too large to have to think about cybersecurity and allocate appropriate resources.
Lack of Investment in Key Areas:
As organisations shift their attention towards cybersecurity, they must be careful not to conflate increased investment with more effective investment.
Businesses funnelling investment into the wrong areas are at risk of producing budgets that are overinflated and ineffective.
When confronted with the fact that they are not spending enough on cybersecurity, organisations tend to rush out to correct this mistake before it creates a perception of negligence or incompetence.
This, combined with the overwhelming number of different cybersecurity tools, products, and services available today, presents a problem endemic to many organisations.
Modern, sophisticated cybersecurity tools certainly have a role to play within an enterprise’s cybersecurity program. Many of these tools can help revolutionise the company’s entire cybersecurity strategy.
Yet, for many organisations, expensive tools are not always the most immediate cybersecurity investment need.
Rather than leaning on these tools as easy investment decisions, organisations should conduct due diligence and plan investment based on their most immediate needs. This involves understanding the risk landscape facing the organisation.
When budgets are allocated inefficiently, organisations can easily find themselves slipping into a cycle of reactive investment tackling security-related problems as they arise.
Once caught in this cycle, organisations are constantly hunting down infections and patching vulnerabilities within their systems and network rather than assessing their broader security strategy.
As data breaches become increasingly commonplace, a proactive security posture is crucial to building cyber resiliency and navigating periods of disruption.
The pandemic has demonstrated that the need to plan for the unexpected. Organisations need to implement a proactive approach to security, enabling them to adapt to situations rather than simply reacting.
Once a company falls into a cycle of reactive cyber investment, it is challenging for it to get out, particularly for smaller organisations with tighter budgets.
Best Practices for Building a Cybersecurity Budget:
Avoiding mistakes such as these is crucial for an organisation to invest in cybersecurity effectively.
However, even having overcome these pitfalls, building a successful cybersecurity budget remains a daunting task.
We’ve put together some simple best practices which all companies should follow when building their unique cybersecurity budget.
Risk Assessments are the Foundation of Any Successful Budget:
No security professional or executive can begin making decisions relating to cybersecurity investments without first taking a step back and assessing their organisation and the environment in which it operates.
There is no standard benchmark for cybersecurity spending. Additionally, an organisation’s cybersecurity spending is often distributed across multiple departments, making it difficult to determine the appropriate spending level. Identifying the critical areas in need of investment demands a thorough risk assessment.
For an assessment of this nature to be effective, it should cross-reference an organisation’s strengths and vulnerabilities with the threat landscape in which it sits.
The threat of a malicious attack is undoubtedly a crucial component when assessing risk; however, it can prove relatively meaningless without context.
Risk assessments should be based on the most relevant threats to each organisation based on size, location, and industry.
Furthermore, an understanding of threats is only half the picture when it comes to assessing risk.
It is equally important to understand an organisation’s current programme’s strengths, deficiencies and vulnerabilities.
With an understanding of both these factors, companies can effectively assess the risk facing them. This assessment will provide a basis for cybersecurity future budgetary conversations.
On this basis, risk thresholds can be agreed upon, which, when exceeded, provides context for reopening budgetary conversations or reallocating funds.
Select Tools Carefully:
Any organisation searching for cybersecurity solutions today will likely find itself spoilt for choice.
More and more advanced products emerge every day and, as with all things, no one size fits all.
These solutions are certainly a worthwhile investment, but only when an organisation takes the time and does the necessary due diligence to determine which one will be most effective for them.
For example, as regional laws surrounding data privacy continue to tighten, certain companies may find tools focusing on the processing and storing of customer data to be of particular benefit when ensuring compliance with data protection regulations.
When allocating a budget to these specific areas, it is necessary to weigh up the investment required to purchase the solution best suited to an organisation’s needs against the importance of the organisation’s broader cybersecurity goals.
Cybersecurity solutions deserve space in the budget; however, they must serve a clear purpose within the overall cybersecurity strategy.
Don’t Forget the Basics:
Sophisticated cybersecurity solutions can only do so much without a sturdy foundation.
Organisations planning their cybersecurity budget should allocate funds for regular company-wide training.
The time for simply ticking cyber training off a list with the same annual PowerPoint presentation has come and gone.
Organisations must push to ensure that every employee has a certain basic understanding of cybersecurity. This understanding should scale based on specific roles and responsibilities.
Training is a worthwhile investment. Not only because it should prove relatively inexpensive but equally because, without it, all the money invested in a sophisticated cybersecurity programme risks being wasted due to simple human error.
Particularly with the recent rise in remote working, basic training on matters as straightforward as password hygiene is an essential component of any cybersecurity budget.
Align with Business Objectives and ROI:
Finally, stakeholders must link the proposal to concrete business objectives and demonstrate a clear ROI when proposing any cybersecurity-related budget.
Budget allocation across an organisation is often highly competitive, and the benefits of cybersecurity are inherently less visible than other departments until something goes wrong.
It is, however, possible to demonstrate ROI for a cybersecurity program.
From using automation to reduce labour costs to the lower data breach insurance costs brought by a more effective security posture, small savings across the organisation will often add up into something far more substantial.
The most significant display of ROI will likely be found in a comparison between the cost of implementing simple security practices versus the potentially catastrophic breach they prevent.
It is also important to allocate cybersecurity in a manner that makes business sense.
For example, if an organisation is undergoing rapid digital transformation, it will need to invest in the appropriate areas to scale its online offerings without sacrificing security.
From a business perspective, cybersecurity makes sense as an investment. Cybersecurity budgets should be crafted in a manner that reflects that fact.
Cybersecurity is no longer optional. Nor is it merely the domain of the IT department. As digital transformation continues to accelerate and malicious actors adopt increasingly sophisticated attack methods, cybersecurity and business growth are increasingly intertwined.
While progress has been made in recognising this fact, organisations still struggle with building an effective cybersecurity budget.
Every organisation’s cybersecurity budget will be unique; however, it should be built on a solid understanding of the threat environment in which that organisation sits and an assessment of the risks it faces.
As with all business investments, the success of the cybersecurity program is determined not by the volume of investment received but by how effectively that investment relates to business priorities and goals.