December 6, 2021
“Money should be no object when it comes to cybersecurity” is a phrase often uttered by people who generally know very little about money and even less about cybersecurity.
Actually, money does matter. It matters a lot. If money didn't matter, even the most modest enterprise could hire a team of experts to work around the clock to build, operate, and maintain a military-grade cybersecurity infrastructure.
The truth is that cybersecurity, like any other business operation, has to follow a budget.
Security budgeting can be challenging since the vulnerability landscape changes daily. “We, as a cyber practice, do not believe there is a single magic software or platform,” says Rahul Mahna, managing director, managed security services, at risk and regulatory compliance advisory firm EisnerAmper Digital. He suggested creating a budget that adheres to three distinct visions: past incident reflections (to prevent repeating previous mistakes); current security needs; and future plans.
All cyber events and impacts aren't equal, nor are organizations equally able to defend against and recover from them. “We advise leaders to optimize cybersecurity spend by first working to quantify the risk unique to their organizations in specific dollar terms,” says Andrew Morrison, US cyber risk services strategy, defense, and response solutions leader at business advisory firm Deloitte. Cyber risk quantification allows leaders to calculate expected losses from a cyber event in dollar terms. “Through bespoke modeling and scenario simulation, it's possible to determine fairly accurate estimates of financial loss that could result from a cyber event -- and to help determine how cyber spend should be allocated and prioritized to more impactfully address those specific risks.”
Many organizations start building their cybersecurity budget under the faulty assumption that they will probably never be attacked. They then believe they can safely minimize their cybersecurity investment. “I can think of thousands of companies that felt the same way,” says Alan Brill, senior managing director of the cyber risk practice at governance and risk advisory firm Kroll. Most eventually learned -- the hard way -- that attacks can hit any enterprise at any time.
It doesn't matter if an enterprise has a high, medium, or low profile, since attacks are frequently random and/or automated. In many cases, it's like being a duck in a shooting gallery. “If you're using particular software, and that software has a previously unknown security vulnerability, you can be successfully attacked,” Brill warns. “There are no guarantees.”
One of the biggest mistakes enterprise leaders make when building and allocating their cyber budgets is taking a “peanut butter approach -- spreading funds equally across all cyber domains in an attempt to broadly mitigate risk, Morrison, says. “The challenge with the peanut butter approach,” he explains, “is that organizations stand to underinvest in areas that actually pose the greatest risk while overspending in less risky domains.” For example, in some organizations the security of the supply chain, and its underlying operational technology, may be more critical to business operations than the security of a cloud transformation effort.
Mahna says his clients typically become interested in cybersecurity only when there's a compelling reason to begin the conversation. “Clients then aggressively move to have lengthy discussions and want to fill the many gaps that we identify with risk-based solutions,” he explains. Then ... absolutely nothing happens. “At this juncture, there's usually a 'pause of complacency' that sets in,” Mahna notes. “We call it the ‘run fast and go nowhere’ mentality.”
Since nothing awful happens during the pause, the client typically begins to think: “So why spend this money if everything appears fine? They completely forget the original compelling reason why the conversation started,” Mahna says. “That’s usually the biggest mistake and, usually, when a negative cyber event occurs.”
Winning management support is an essential step toward creating a realistic and effective cybersecurity budget. “It can be really tough for cyber teams to prove a negative -- that there’s value in a large cyber spend if revenue hasn't been lost as the result of a cyber event,” Morrison explains. “However, when cyber teams have justifiable models to demonstrate the likelihood and impact of potential cyberattacks specific to an organization’s unique and current threat profile, it can help paint a clearer picture to the rest of the C-suite, board and other stakeholders on the value of the true cyber investment required.”
Cybersecurity Budget Takeaway
Budgeting for cyber defense, managing risk, and preparing for an incident is simply a part of doing business in the 21st century, Brill observes. “Recognizing that an incident may occur, and result in charges that were not budgeted for, is a reality that every organization must recognize and plan for.”
About the Author(s)
You May Also Like