researchHQ’s Key Takeaways:
- Garnering investment in cybersecurity demands effectively communicating its importance to the C-Suite, this means building a sound cybersecurity budget.
- Vulnerability assessments, patches and penetration testing can often be carried out by the same vendors, offering an opportunity for price negotiations.
- Training and certification of IT staff is an investment in staff morale that can prevent burnout and reduce costs in the long run.
- Costs can potentially skyrocket without effective system maintenance and cybersecurity insurance.
As businesses across all industries evolve, once discretionary expenses become operating costs. Insurance coverage, for example, is pretty much ‘a must’ across many industries. The latest may be cybersecurity costs, because protecting your most important currency, information, requires ongoing attention. When looking at your cybersecurity budget, factor in every part of the recipe. What are some items you can bake into your cybersecurity budget that will reduce your overall risk posture?
How to Talk to the C-Suite About Cybersecurity Costs
If you’re smart about how you spend and allocate your information security budget, you can actually turn your cyber-related expenses into competitive advantages. And you’ll make a lot of friends if you can do that. Therefore, as you plan for your coming year’s budget, make sure you are speaking a language the decision makers understand. Remember, it’s not just about bits and bytes, firewalls and routers; it’s also about business speak. Learn to talk about why these cybersecurity costs are worth it to the C-suite:
- Cash flow (Can the business financially sustain what you’re asking for?)
- Collateral (in case you need to borrow against assets)
- Capital (How much do you have in the piggybank that can be used?)
- Character (This not only goes for you, but who you’re relying on.)
- Conditions (What’s the outlook like?)
Yes, these are the ‘five Cs’ of credit and lending analysis. Effectively, you’re asking management to invest in your cybersecurity training and budget, meaning they’re going to want to see a return on investment. If you can’t quantify what you’re asking for, don’t expect to get it, even more so in 2021.
Vulnerability Assessments and Fixes
If you can’t perform vulnerability assessments internally, there’s good news. This type of cybersecurity costs are dropping where this service is commoditized more and more. As a buyer, that puts you in a good negotiating position to do this often and even with flat rates. Also, using an external vendor keeps you honest even if you could do it yourself. In a perfect world, you should aim to conduct assessments every three or six months. Today, once a year is a minimum.
There’s a catch: remediation. An assessment without corrective action is kind of like buying a gym membership and not using it. Cyber hygiene requires action. If you can’t make corrections on your own, work with your vendor. It’s a good time to start working on some longer-term contracts.
Business thinker Peter Drucker says, “Plans are only good intentions unless they immediately degenerate into hard work.”
Think of vulnerability assessments as good intentions and penetration tests as hard work. Pen tests are more in-depth and run the risk of becoming open-ended, so set clear borders and rules. But also make sure to have an annual test, otherwise you’re doing yourself a disservice.
Many vulnerability assessment vendors also offer pen test services. So, again, think about the business angle of these cybersecurity costs. This is a good time to haggle and get all these services lined and locked up.