How to Create an Effective Cybersecurity Budget: A Security Budget Example

As a cybersecurity leader, you understand the significance of allocating adequate resources and funding to your cybersecurity budget. But how do you effectively communicate the financial requirements to the Board of Directors and C-suite? How can you secure the necessary budget approval for your cybersecurity security and risk management initiatives? How do you allocate that budget once you’ve gotten it? The budgeting process requires a robust and data-driven approach to ensure all aspects of security are covered.

During the budget season, it is crucial to plan for security services by considering factors such as overall cost, type of service, training, and customer service.

Creating a compelling business case is crucial to justify security budget planning to executive decision-makers. This helps articulate the business value of security initiatives and align the security program with business objectives.

Before reaching a functional budget, there are numerous inquiries that must be addressed. In this article, we aim to assist you in resolving these queries to help streamline the process.

Understanding your cybersecurity needs

The first question that comes to mind is: how much is needed to ensure the safety of my company? While in the enterprise space, this figure can reach into the tens of millions, for smaller organizations and the middle market, finding clear answers is not so simple. Most organizations, especially larger companies with many employees and a national or global footprint, struggle with real-time security status visibility, making it difficult for senior leaders to see the benefits of changing a process to improve future security posture. Regardless of the size of the cybersecurity budget for your organization, there are some straightforward techniques you can employ to create a rough estimate for your cybersecurity spending, without the need for a more intricate threat review.

This means that you need to focus on the estimated cost of a breach. So how do you determine that?

Calculating the cost of a breach

We’ve built out a spreadsheet to help with the calculation of the cost of a security breach, and a guide to take you step-by-step through the spreadsheet. Or, for those who need more help, our cyber advisors are available to help walk you through this budgeting exercise with a FREE consultation.

In our spreadsheet, we’ve divided the calculation into two main categories: incident response costs and recovery costs. Under incident response, you’ll want to consider such costs as outsourced IT & equipment, outsourced incident response, external counsel, a communications firm, and coverage counsel. Under recovery costs are considerations like customer attrition, sales pipeline, cyber premium increase, payroll increase, and security spend increase. Our spreadsheet and its calculations are the result of years of experience working with firms across multiple industries and helping them recover from a breach, and we hope that you’ll be able to take advantage of them to help guide your own budgeting efforts.

Building a business case for your cybersecurity budget

Clearly articulating the negative impact of security issues and the expected benefits is essential as part of the executive problem statement. This helps security leaders in making a compelling case for security initiatives to the executive decision-makers.

Example of a cybersecurity budget calculation

Let’s use these factors to calculate the cost for a hypothetical company, “Financial Investments Network” or FIN. FIN is a financial services company with $100M in revenue, which holds very little customer data and has a very limited external attack surface. FIN is the victim of a ransomware attack, which takes their environment down for 2 weeks. Luckily they are able to recover relatively quickly, but here are their potential costs.

• Incident response costs: $475K+
• Counsel, IR, comms firm: $100K+
• Hard recovery costs: $195K+
• Cyber insurance premium increase: $75K+
• Additional security budget: $120K+
• Soft recovery costs (reputational and productivity-related): $14.25M+
• %5 payroll increase: $1M+
• 7% customer attrition: $7M+
• 25% hit to future pipeline: $6.25M+

When planning a security budget, it is crucial to consider both capital expenditures (CAPEX) and operational expenses. Allocating funds effectively between these categories can help build a compelling business case with expected benefits and ROI.

The total projected cost of a medium-sized data breach is $14.725M for the first year, and we then estimate that the second year of breach costs is an additional $4.9M. That brings us to a whopping total of $19.633M over two years.

Based on these costs, we would recommend a minimum security spend of $1.98MM, which is about 10% of their total breach cost for a medium-sized incident over 2 years.

In this example, if FIN spends $1.98MM on its own cybersecurity investment today, they’ll potentially save $15.84MM over the next two years in what they would have felt in the impacts of a breach.

Customizing your cybersecurity budget

Note that we used the least-exposed type of company as an example. If you are a SaaS company and/or you hold a lot of sensitive information, this number exponentially increases. Just the cost of notification will be mid-six figures, not to mention the revenue hit due to brand reputation issues.

The security industry faces numerous challenges and common issues, such as employee turnover, falling asleep on the job, poor communication, and the importance of training and customer service in security services. Integrating technology and overcoming resistance to change are also significant concerns within the physical security industry.

Key elements of a cybersecurity budget

Hopefully, this illustrates a better way to calculate your security budgets with accurate figures and data-driven planning. Too many organizations are underspending, which has led to the deluge of cyber incidents. The other advantage of increasing and spending your cybersecurity budget on proactive services is the ability to amortize the costs over a longer period, so you can engage a services company like CDG on a monthly basis, spreading those costs over a 12-24 month period. During and post-incident you will be paying a premium to get the same security controls implemented in a much shorter amount of time.

Making a case for security spending

We hope that in working through the exercise of the cost of a breach you’ll have much of the ammunition you need to argue the case to leadership of the importance of more security spending today to avert future (or additional) crises of tomorrow. After all, ~2MM spent today that saves you ~$16MM tomorrow seems like a solid argument for a robust security budget and demonstrates actual ROI. For those organizations working in cloud environments with highly sensitive, highly regulated data or a broad attack surface, the cost of a breach could be much higher.

For those whose leadership doesn’t live and breathe the cybersecurity industry and news, showcase for them the way that cyberattacks have become a real threat to modern-day businesses. Just witness the recent mayhem at MGM Resorts in Las Vegas, NV, where an attack shut down reservation systems and digital room keys. The actual cost to MGM was estimated to be over $100M. Cybercriminals can, amongst other things, introduce malware that can slow down or stop entire systems or initiate ransomware attacks. Remind the C-suite and BOD that these attacks can compromise your systems and cost your company lost productivity, reputational damage, and a significant financial downturn.

Allocating your cybersecurity budget

The only real option to survive today’s online environment is to have a strong cybersecurity defense program. Security teams play a crucial role in managing various budget areas, ensuring the investment in proper digital infrastructure, cloud technologies, comprehensive employee training, serious cybersecurity budgets, and expert monitoring and auditing of systems. And all of this takes money. It’s vital to spend on cybersecurity today to avoid being a target of hackers tomorrow.

Key considerations for cybersecurity spending

Now that you’ve gotten the overall budget, what should you consider when building out the plan of where to allocate funds?

Generally, your line items that make up your cybersecurity budget will encompass three main buckets: people, processes, and technology. The people may be in-house personnel or external resources; the technology encompasses software and hardware, both cloud providers and for many enterprises, on-premises tech; and the processes can be anything from employee awareness training to audits and assessments. Within those broader strokes, a cybersecurity budget should consider the following elements, but of course taking into account your organization’s specific needs, business priorities, and capabilities, and allowing for modification over time:

• Personnel – you need the right team in place to keep your organization secure, whether that’s in-house security professionals or external, managed service provider assistance.
• Technologies – to keep your infrastructure secure (be it cloud or on-premises or both) requires an investment in technologies. From firewalls to endpoint to multi-factor authentication (MFA) solutions, your budget will need to account for them all.
• Cybersecurity risk assessments & ongoing monitoring – Risk assessments are like the blueprint for creating personalized security plans and setting up defenses to make sure the organization can handle cyber threats, keeping important data and assets safe. By keeping an eye out for new weaknesses and dangers, ongoing monitoring steps up the protection game.
• Incident response – it’s essential to have a thorough plan of action for what your organization will do in the event of a cyberattack in place before that attack occurs. That’s because:
  • The incident response plan allows you to get into action right away, and keep the damage to a minimum.
  • Without a well-thought-out incident response plan, you might end up drawing more attention from the government after a cyberattack. It can make it seem like your organization isn’t equipped to deal with such situations.
• Compliance – organizations with data subject to strict regulations like HIPAA, GDPR, or CCPA need to ensure that they are meeting these regulatory standards, and put in place the proper people, technology, and processes to do so.
• Training – for truly comprehensive security, everyone in an organization needs to understand how to keep themselves protected from things like phishing and social engineering attacks. This is where training and an employee education program are key.
• Cyber insurance – for a business cyber insurance is a must in case of a breach, the cost of that insurance must be factored in.
• Successful new business initiatives – it’s crucial to allocate sufficient funds for cybersecurity. As organizational priorities evolve and the business environment fluctuates, the ability to adapt and support new programs becomes paramount. Neglecting this aspect may lead to challenges such as the emergence of shadow IT.

The true ROI of cybersecurity spending

Cybersecurity is often viewed as a hindrance and a cost for businesses, but this perception is outdated in the 21st century. The truth is, that investing in a robust cybersecurity program brings undeniable returns on investment. It not only prevents costly breaches but also enables organizations to showcase the effectiveness of their security measures externally.

Like the safety features of a modern car—airbags, ABS, and collision avoidance—cybersecurity allows your organization to navigate the “information superhighway” with confidence, accelerating contract execution, rapid growth, and revenue generation. Don’t underestimate the power of cybersecurity spending with a well-funded and resourceful cybersecurity program, it can propel your business forward.

Financial impact of cybersecurity investments

Investing in cybersecurity tools can significantly mitigate the risk of data breaches and other cyber attacks, resulting in substantial cost savings for organizations. By reducing expenses related to investigation endpoint detection, remediation, and regulatory compliance, cybersecurity measures prove their worth. In fact, data breaches in the US alone have an average financial impact of $9.48 million.

Building customer trust and loyalty

Building customer trust and loyalty is crucial for business growth. When organizations take measures to safeguard customer data, it instills confidence in their minds. According to the 2024 Verizon Data Breach Investigations Report, a staggering 88% of consumers are more inclined to engage with transparent businesses and companies that openly address data breaches.

Enhanced competitive advantage

Smart cybersecurity spending can help organizations stay ahead of the competition in terms of data protection and managed security services. This is indicated by the $2 trillion market opportunity for cyber tech and managed detection service providers (McKinsey).

Long-term benefits of cybersecurity spending

Investing in cybersecurity spending can yield a substantial return on investment for organizations, regardless of their size. By committing to cybersecurity measures, organizations can achieve cyber resilience, mitigate the risk of cyber attacks, foster customer trust and loyalty, and gain a competitive edge.

Leadership and cybersecurity investment

Cybersecurity has evolved beyond a mere technical concern to become a crucial matter at the highest levels of management and organizational leadership. It is imperative for leaders to grasp the repercussions of inadequate cybersecurity spending and make well-informed decisions regarding security investments. They must acknowledge the significance of staying abreast of emerging threats and vulnerabilities, and place paramount importance on allocating resources necessary to establish a robust security posture and budget, thereby mitigating the risk of costly breaches.

Conclusion

Hopefully, this article has helped you determine the amount you need for your cyber risks and services in your cybersecurity budgets, given you a few arguments to take to leadership to justify that spend, and offered a few thoughts on how and where best to allocate your dollars effectively. If you would like help with any part of this, in particular the use of our budgeting spreadsheet, please let one of the Cyber Defense Group expert cybersecurity advisors help walk you through this budgeting exercise with a FREE consultation.

We also created this handy ebook, “How Much Should You Allocate to Your Cybersecurity Budget?” for those of you interested in a deeper look at security spending. Enjoy!