Cybersecurity Budget Strategies to Consider NOW

cybersecurity budget strategies to consider
Matthew Polatsek
October 6, 2022

With rises in ransomware attacks, business email compromise, phishing, social engineering, third-party software vulnerabilities, and an increased remote workforce, it’s no wonder businesses are starting to recognize cybersecurity as a business imperative. Cyber liability insurance carriers are now imposing stricter requirements for the renewal of policies and mandating minimum levels of security hygiene before contract negotiations can even begin. The US Government has started to craft its framework, which outlines a minimum security posture by which defense contractors must abide to win future contracts, ensuring the protection of sensitive information, also known as Cybersecurity Maturity Model Certification (CMMC).

Developing an efficient cybersecurity budget can be a complex, if not overwhelming, process with limited resources and many factors and external influences to consider, especially at the small and medium business (SMB) level. SMBs will need to ensure their intended level of spending aligns with their chosen level of accepted risk, married to their desired level of protection.

Findings from a recent survey conducted of more than 500 business owners and IT professionals concerning their 2022 cybersecurity plans included the following:

  • Only 50% of SMBs have a cybersecurity plan in place
  • 43% of businesses felt financially prepared to face a cyber-attack in 2022
  • The most common cause of cyber-attacks were malware and phishing
  • 37% of respondents are now investing in new cybersecurity technologies/products
  • 25% of small businesses spent less than $500 on their monthly cybersecurity plan Pre-COVID.
  • Post-COVID, SMBs have begun investing more heavily in cybersecurity, with monthly budgets exceeding $1,499 per month
  • 47% of businesses have also prepared by purchasing cyber liability insurance

2023 Budget Considerations

It should not be shocking to learn that doubling an organization’s cybersecurity budget would not cut the risk of an adverse cyber event in half. Cybersecurity departments continue to struggle with justifying increases to their budget when they are not seen as contributing to overall revenue growth. While the threat landscape continues to evolve, business leaders need to take a step back to reassess their current cybersecurity posture and how they can improve their budgeting approach. Remember that there is no silver bullet, as any cyber budget and forecasting need to be customized to that organization’s specific needs. While organizations cannot defend against everything, business leaders must appreciate what’s most essential and will likely have to do more with less while managing and reducing this ever-present risk. Given these considerations and today’s economic uncertainty and recession fears, what budgeting strategies should SMB leaders consider as they prepare for 2023?

1. Quantify your risk:

The quantification of cyber risk can be defined as the process of measuring the financial impact of the realization of a particular cyber threat. By measuring cyber risks, organizations can:

  • Better understand what is critical to the business
  • Prioritize vulnerability remediation based upon severity which should include financial risk exposure
  • Evaluate the return on investment for proposed expenditures on cyber security technologies and services
  • Qualify the need for cyber insurance

Once risk has been quantified, organizations will be better able to relay cyber threats that senior leadership will understand.

  • Manufacturing organizations can determine how much daily revenue will be lost if the shop floor comes to a grinding halt.
  • Financial institutions can determine how much daily revenue may be lost without the ability to process transactions.

2. Select your high-priority projects:

Is your organization compliance-based? Adherence to certain regulatory compliance can all but predetermine security budgets.

  • The addition of certain controls, technologies, and governance will be necessary to help meet these requirements.

Is digital transformation the top priority?

  • Shifting to more remote work, moving assets to the cloud, and improving customer engagement are just a few examples where security needs to be prioritized and given ample budget to succeed.

3. Avoid cost-cutting to save a few bucks:

When security budgets are reduced substantially, protection gaps can result.

  • Organizations should try to see the long game. What may appear to be a quick win in cost reduction(s) may hurt an organization in the long run, leading to a diminished ability to detect and respond to cyber events with increases in downtime and revenue loss should an adverse event occur.

4. Assess your Tech:

When looking at tools and controls to assist with things like prevention, detection, and response, it’s important to evaluate:

  • How much was spent on procuring any particular tool?
  • How much was spent installing or configuring that tool to fit within the environment?
  • Is there any recurring fee for its operation, i.e., operating expense?
  • Perhaps most important, is the tool meeting the organization’s expectations and needs and reducing risk as imagined?

Another aspect to consider is procuring tools that work well together.

If products are too independent, gaps in visibility may ensue or result in no apparent logic or connection between any alerts received. When cloud, network, email, and endpoints are harmoniously sharing information, organizations gain much more visibility into the vulnerabilities present within their infrastructure, enhancing their ability to defend and respond.

5. Invest in the human element:

Information security awareness training is no longer a “nice to have.”

Besides being required for cyber liability insurance, educating the workforce on cyber risk is critical to developing a strong security culture. Stronger security cultures result in less compromise, with employees exhibiting a higher prevalence of security-influenced behaviors.

“The human element continues to be a key driver of 82% of breaches and this pattern captures a large percentage of those breaches. Additionally, malware and stolen credentials provide a great second step after a social attack gets the actor in the door, emphasizing the importance of having a strong security awareness program.”

2022 Verizon Data Breach Investigations Report

6. How will you manage risk?

There are certainly more than the following two approaches, but generally speaking, organizations may take on a risk-based or cyber maturity-based approach.

Risk-Based Approach:

  • The organization attempts to Identify and prioritize technical controls that are part of a defined enterprise risk management framework
  • The organization maintains metrics on the efficacy of those controls
  • Examples include cyber risk quantification and the reporting on reductions to enterprise risk versus progress on capabilities

Maturity-Based Approach:

  • Much more typical among SMBs
  • The organization works to improve upon security fundamentals
  • Examples include implementing logging and monitoring, developing Incident Response playbooks, or installing Multi-Factor Authentication onto critical servers

7. Expect the unexpected:

Few of us foresaw the Log4j vulnerability or SolarWinds compromise. Events such as these can dramatically increase the responsibilities incurred by both senior leadership and IT and cyber personnel.

Assessing the impact(s) of these events and the increased effort needed to be proactive can cause cybersecurity budgets to swell. Make sure to have some buffer set aside to assist with unforeseen circumstances.

Next Steps

Buy-in from senior leadership is critical in creating a realistic and effective cybersecurity budget. Unfortunately and all too often, organizational leaders only become interested in cybersecurity when there’s an especially compelling reason to do so, e.g., after an adverse cyber event.

Cybersecurity budgeting still equates to an exercise in risk management. Organizations need to make sure lower-priority risks are not addressed at a higher cost than required while simultaneously ensuring that the highest priority risks are dealt with in the most cost-efficient manner possible. Be sure to make the best use of your cyber budget. If you need assistance prioritizing cyber within your budget or determining what to include in your cybersecurity strategy, contact us.

Matthew Polatsek