Three Approaches to Setting Cyber Security Budgets

With evolving and emerging cyber threats, setting aside enough budget for cyber security initiatives is increasingly important. Recent standards indicate that many firms set aside about ten percent of the total IT budget for cybersecurity.

Three Approaches to Setting Cyber Security Budgets for Next Year.jpg

But, is a percentage of IT budget enough for protecting all your IT environment and investing in security training and awareness, new security solutions, network essentials, perimeter and next-gen data loss prevention, as well as regulatory and compliance adherence? In modern organizations, ten percent may just be a starting point.

Have you considered these three approaches for setting your cyber security budget in the year ahead?

Reactive vs. Proactive Approach to Cyber Security Budgeting

Creating a cyber security budget must be a business priority for years ahead. However, for many organizations, it’s still something that’s reactive. A hacker penetrates the network, and suddenly you need a new firewall, IDS/IPS, anti-virus, and a whole host of other prevention products to put an end to an onslaught of attacks. In a previous blog post, our US Security Director highlighted how many organizations are focused on preventative measures. But, this misses the other critical areas of information security, detection, and response. Most corporate networks can and will be hacked at some point; hackers only need to execute one successful attack to make their way into your data and network. It only makes sense to have a better approach to cyber security budgeting.

An ad-hoc or reactive approach to information security budget-setting may work for some, but cash-sensitive organizations could risk never getting critical security projects approved. Also, most cybersecurity budgets focus on preventing data breaches and keeping cybercriminals out. So, it only makes sense to move away from a reactive budget setting approach to a proactive budget for information security.

A proactive approach to cyber security budgets means understanding the mindset of a cybercriminal and then building a strategy around that approach. Your security team must become experts in finding opportunities to penetrate your corporate network and then take measures to fix it. If you don’t have in-house experts, then you may need to consider annual risk and vulnerability assessments as well as more regular penetration testing and Red Team/Blue Team exercises.

Benchmark Approach to Cyber Security Budgeting

How’s your company doing regarding cybersecurity prevention, detection, and response? It might be difficult to answer this question. If it is difficult to answer that question, then you might consider a benchmarked approach to setting your cyber security budgets and investments.

A benchmark approach looks at how you’re operating and compares it to your peers, a framework, a comprehensive study, or a group of interviewed organizations. When an organization can observe the best practices of other security teams (organizational structure, level of investment in security, KPIs, etc.), the organization can quantify its results and prepare a standard cybersecurity budget that begins to improve on weaknesses and strengthen opportunities.

Risk-Based Approach to Cyber Security Budgeting

If you start with a risk-based approach to setting your budget, you begin to share with your Leadership Team the categories of risk for each area in your information security portfolio. A risk-based approach is often considered a budgeting method for mature security organizations because they can categorize risks across several domains and budget based on the cost to mitigate cyber risks. CIPHER uses a framework similar to the NIST Cybersecurity Framework where five domains represent the information security lifecycle.

CIPHER Security Framework

This approach is like the benchmark approach but takes it a step further by categorizing your security lifecycle areas by varying degrees of risk. This enables your organization to prioritize investment in areas that will make a noticeable improvement to your security operations. We also associate a risk-based approach against five levels of maturity within the security operations. (Noted in the Figure below)

Cybersecurity Maturity Levels 2.png

Once your leadership recognizes security risks and the cost to the business, you will be in a much better position to obtain investment for your cyber security initiatives.

What method have you used in the past and what are you using for 2018? Tell us about your hurdles and successes in the comments below!

Free Security Assessment Tool

Did you enjoy this blog article? Share it with your friends or comment below.



Founded in 2000, CIPHER is a global cybersecurity company that delivers highly accredited Managed Security Services and Security Consulting Services with ISO 20000 and ISO 27001, SOC I and SOC II, PCI QSA and PCI ASV certifications. We have received many awards including Best MSSP from Frost & Sullivan for the past five years. These services are supported by the best in class security intelligence lab: CIPHER Intelligence. Our offices are located in North America, Europe, and Latin America with 24×7×365 Security Operations Centers and R&D laboratories, complemented by strategic partners around the globe. 

Our clients consist of Fortune 500 companies, world-renowned enterprises, and government agencies with countless success stories. CIPHER provides organizations with proprietary technologies and specialized services to defend against advanced threats while managing risk and ensuring compliance through innovative solutions. 

Subscribe to Us!

Maeasure Your Information Security Maturity Self-Assessment Survey
Measure Your Information Security Maturity Self-Assessment Survey

Recent Security Posts

security consulting services

Twitter Feed