As we explained here, cybersecurity budgets are inherently inadequate. That's because threat intensity, threat surfaces, and the potential economic consequences of breaches are all growing — creating a sort of “negative synergy” that significantly outstrips growth in cybersecurity budgeting.
Every organization must therefore determine how to optimally allocate their finite cybersecurity resources in order to most effectively mitigate overall financial, operational, regulatory, and reputational risk to the business.
To help you tackle this critical resource-management challenge, I spoke with Diana Kelley, co-author of Practical Cybersecurity Architecture; Scott Schober, President and CEO of Berkeley Varitronics; DataOps guru Lenny Liebmann; and noted digital healthcare leader David Chou — who between them have several decades of experience guiding budget and resource allocation decision-making for dozens of cybersecurity teams in a diverse range of markets — to get their advice about how to maximize the risk-reducing impact of your total cybersecurity spend.
Q1: How do you rightsize an organization's security budget? What's a good rule of thumb for a total annual budget number? And do most organizations in fact fund their cybersecurity efforts at this level?
A1 (Schober): Your security budget ultimately depends on the “crown jewels” you need to protect. That's different for every organization — but you can't rightsize your budget until you clearly understand exactly what you need to protect, the level of risk you face, and the measures you therefore need to implement to achieve your risk-reduction goals.
That said, a good starting point for cybersecurity is about 15% of your total IT budget. For organizations that have special considerations such as healthcare data or financial data, that number should be closer to 20%.
Unfortunately, many organizations underfund cybersecurity due to an it-won't-happen-to-us attitude. And, of course, it never happens to you — until it does.
Q2: How do cybersecurity budgets get divvied up? Like, is it typically X% for staff headcount, Y% for tools and technologies, Z% for outside services?
A2 (Liebmann): Previous approaches to “slicing and dicing” cybersecurity budgets have to be completely re-thought in light of two major developments:
- Managed Detection & Response's (MDR) market-disrupting economics — since security-as-a-service allows you to reduce your cost of technology ownership while also reducing or re-allocating staff headcount, and
- AI, which similarly promises to transform the mathematics of human labor vs. automation.
My advice is also to think less about spending in traditional silos and more about spending on layers of defense. So the real question is how much you allocate to perimeter-ish protections like endpoint and multi-factor authentication deployments vs. how much you allocate to threat detection, threat hunting, and response. And given how imperative it is to adopt zero-trust, I'd say that putting too many eggs in the endpoint basket is probably a bad bet. To truly protect your organization's most important assets — and to fend off increasingly stealthy APTs — MDR excellence is vital.
And the biggest mistake of all may be under-funding your adversarial testing and red/blue team exercises. This is especially true given the current talent crunch, since active exercises are a great way to upskill your staff and discover holes in your process — which are at least as problematic as holes in your technology tooling.
Q3: Is there any particular way you think cybersecurity leaders could better allocate their spending to get more risk mitigation out of their budgets? Anything in particular they should invest in? Or any traditional spend in particular that they might be able to retire?
A3 (Kelley): One common problem is that organizations tend to accumulate security controls over time. I worked with one company that had four different security endpoints — not because they were doing different tasks, but because they had been added on over time due to acquisition and leadership changes. And everyone was afraid to remove the legacy agents.
To keep your spending in check, periodically perform a very complete reviews of your security controls and technologies with a keen eye for issues such as redundancy, degraded alignment with your current portfolio of high-value assets, inefficient cost structure given changes in your environment, etc.
If a control or solution overlaps with another one — or is no longer mitigating a risk that makes its burdened cost of ownership worthwhile — get rid of it!
Q4: What kind of annual increases are you seeing in cybersecurity budgets? Are those increases sufficient to meet the increased challenges posed by the combination of intensifying threats and the fact that organizations' computing environments are getting larger, more complex, and of greater financial value to the business?
A4 (Schober): I'm typically seeing cybersecurity budget increases in the neighborhood of 10%. This percentage varies greatly between industry segments and is often tied to and motivated by recent cyberbreaches that have affected a competitor or other companies in an organization's supply chain — which unfortunately serves as a sort of after-the-fact wake-up call.
I'll echo your main point — which is that as cyber criminals engage in more sophisticated attacks and as organizations' attack surfaces continue to expand, stingy cybersecurity budget increases just don't make good business sense. This is why I'm adamant about asserting that this year's budget shouldn't be based on last year' budget at all — but rather on a fresh assessment of changes to risks and requirements.
Q5: Any advice about how cybersecurity leaders can successfully ask for more budget?
A5 (Chou): Cybersecurity leaders have to get better at crafting their budget requests so that they clearly align with the organization's strategic business goals. It's not just about making claims regarding risk. It's also about showing how cybersecurity will actually enable the business to expand and improve in very specific ways. That's ultimately how you get funding that's not just an incremental year-over-year increase.
Also, make sure you have metrics that quantify the efficacy of what you propose. You have access to lots of data and analytics — so use them. And use them in a way that both proves the worth of the security measures you currently have in place and makes an empirically compelling argument for the additional funding you need to appropriately enhance your organization's cyber defenses. You can't just depend on vague assertions like “The world is getting more dangerous” or “We have more data to protect” — as true as those assertions may be. The language of business is numbers, especially when it comes to financial decisions.
All great sound advice from leading cybersecurity experts on how to best align security budgets to the actual risk facing organizations. To learn more about securing cybersecurity budgets check out this whitepaper: The New Economics of Cybersecurity and 4 Best Practices to Protect Your Business. To learn more about maximizing your cybersecurity budget while strengthening your security posture, visit https://www.secureworks.com/blog/cybersecurity-on-a-budget-whats-your-plan.