With evolving and emerging cyber threats, setting aside enough budget for cyber security initiatives is increasingly important. Recent standards indicate that many firms set aside about ten percent of the total IT budget for cybersecurity.
But, is a percentage of IT budget enough for protecting all your IT environment and investing in security training and awareness, new security solutions, network essentials, perimeter and next-gen data loss prevention, as well as regulatory and compliance adherence? In modern organizations, ten percent may just be a starting point.
Have you considered these three approaches for setting your cyber security budget in the year ahead?
Reactive vs. Proactive Approach to Cyber Security Budgeting
Creating a cyber security budget must be a business priority for years ahead. However, for many organizations, it’s still something that’s reactive. A hacker penetrates the network, and suddenly you need a new firewall, IDS/IPS, anti-virus, and a whole host of other prevention products to put an end to an onslaught of attacks. In a previous blog post, our US Security Director highlighted how many organizations are focused on preventative measures. But, this misses the other critical areas of information security, detection, and response. Most corporate networks can and will be hacked at some point; hackers only need to execute one successful attack to make their way into your data and network. It only makes sense to have a better approach to cyber security budgeting.
An ad-hoc or reactive approach to information security budget-setting may work for some, but cash-sensitive organizations could risk never getting critical security projects approved. Also, most cybersecurity budgets focus on preventing data breaches and keeping cybercriminals out. So, it only makes sense to move away from a reactive budget setting approach to a proactive budget for information security.
A proactive approach to cyber security budgets means understanding the mindset of a cybercriminal and then building a strategy around that approach. Your security team must become experts in finding opportunities to penetrate your corporate network and then take measures to fix it. If you don’t have in-house experts, then you may need to consider annual risk and vulnerability assessments as well as more regular penetration testing and Red Team/Blue Team exercises.
Benchmark Approach to Cyber Security Budgeting
How’s your company doing regarding cybersecurity prevention, detection, and response? It might be difficult to answer this question. If it is difficult to answer that question, then you might consider a benchmarked approach to setting your cyber security budgets and investments.
A benchmark approach looks at how you’re operating and compares it to your peers, a framework, a comprehensive study, or a group of interviewed organizations. When an organization can observe the best practices of other security teams (organizational structure, level of investment in security, KPIs, etc.), the organization can quantify its results and prepare a standard cybersecurity budget that begins to improve on weaknesses and strengthen opportunities.
Risk-Based Approach to Cyber Security Budgeting
If you start with a risk-based approach to setting your budget, you begin to share with your Leadership Team the categories of risk for each area in your information security portfolio. A risk-based approach is often considered a budgeting method for mature security organizations because they can categorize risks across several domains and budget based on the cost to mitigate cyber risks. CIPHER uses a framework similar to the NIST Cybersecurity Framework where five domains represent the information security lifecycle.
This approach is like the benchmark approach but takes it a step further by categorizing your security lifecycle areas by varying degrees of risk. This enables your organization to prioritize investment in areas that will make a noticeable improvement to your security operations. We also associate a risk-based approach against five levels of maturity within the security operations. (Noted in the Figure below)
Once your leadership recognizes security risks and the cost to the business, you will be in a much better position to obtain investment for your cyber security initiatives.