How to Create an Effective Cybersecurity Budget

How to create a cybersecurity budget?

As a cybersecurity leader, you understand the significance of allocating adequate resources and funding to your cybersecurity budget. But how do you effectively communicate the financial requirements to the Board of Directors and C-suite? How can you secure the necessary budget approval for your cybersecurity security and risk management initiatives? How do you allocate that budget once you’ve gotten it?

Before reaching a functional budget, there are numerous inquiries that must be addressed. In this article, we aim to assist you in resolving these queries to help streamline the process.

Cybersecurity spending: How much should you spend?

The first question that comes to mind is: how much is needed to ensure the safety of my company? While in the enterprise space, this figure can reach into the tens of millions, for smaller organizations and the middle market, finding clear answers is not so simple. Regardless of the size of the cybersecurity budget for your organization, there are some straightforward techniques you can employ to create a rough estimate for your cybersecurity spending, without the need for a more intricate threat review.

Consider your risk

This means that you need to focus on the estimated cost of a breach. So how do you determine that?

We’ve built out a spreadsheet to help with that calculation, and a guide to take you step-by-step through the spreadsheet. Or, for those who need more help, our cyber advisors are available to help walk you through this budgeting exercise with a FREE consultation.

In our spreadsheet we’ve divided the calculation into two main categories: incident response costs and recovery costs. Under incident response, you’ll want to consider such costs as outsourced IT & equipment, outsourced incident response, external counsel, a communications firm, and coverage counsel. Under recovery costs are considerations like customer attrition, sales pipeline, cyber premium increase, payroll increase, and security spend increase. Our spreadsheet and its calculations are the result of years of experience working with firms across multiple industries and helping them recover from a breach and we hope that you’ll be able to take advantage of them to help guide your own budgeting efforts.

Please remember that every organization is unique and our baseline in the spreadsheet is a hypothetical company with very little customer data and a limited attack surface. For organizations with more customers, larger quantities of critical data and larger attack surfaces, you will want to customize and increase amounts to take this into account.

Calculate your cyber security budget

This means that you need to focus on the estimated cost of a breach. So how do you determine that?

We’ve built out a spreadsheet to help with that calculation, and a guide to take you step-by-step through the spreadsheet. Or, for those who need more help, our cyber advisors are available to help walk you through this budgeting exercise with a FREE consultation.

In our spreadsheet we’ve divided the calculation into two main categories: incident response costs and recovery costs. Under incident response, you’ll want to consider such costs as outsourced IT & equipment, outsourced incident response, external counsel, a communications firm, and coverage counsel. Under recovery costs are considerations like customer attrition, sales pipeline, cyber premium increase, payroll increase, and security spend increase. Our spreadsheet and its calculations are the result of years of experience working with firms across multiple industries and helping them recover from a breach and we hope that you’ll be able to take advantage of them to help guide your own budgeting efforts.

Please remember that every organization is unique and our baseline in the spreadsheet is a hypothetical company with very little customer data and a limited attack surface. For organizations with more customers, larger quantities of critical data and larger attack surfaces, you will want to customize and increase amounts to take this into account.

Sample calculation for cybersecurity investment

Let’s use these factors to calculate the cost for a hypothetical company, “Financial Investments Network” or FIN. FIN is a financial services company with $100M in revenue, which holds very little customer data and has a very limited external attack surface. FIN is the victim of a ransomware attack, which takes their environment down for 2 weeks. Luckily they are able to recover relatively quickly, but here are their costs.

• Incident response costs: $475K
  • Counsel, IR, comms firm
• Hard recovery costs: $195K
  • Cyber insurance premium increase: $75K
  • Additional security budget: $120K
• Soft recovery costs (reputational and productivity-related): $14.25M
  • %5 payroll increase: $1M
  • 7% customer attrition: $7M
  • 25% hit to future pipeline: $6.25M

The total projected cost of a medium-sized data breach is $14.725M for the first year, and we then estimate that the second year of breach costs is an additional $4.9M. That brings us to a whopping total of $19.633M over two years.

Based on these costs, we would recommend a minimum security spend of $1.98MM, which is about 10% of their total breach cost for a medium-sized incident over 2 years.

In this example, if FIN spends $1.98MM on its own cybersecurity investment today, they’ll potentially save $15.84MM over the next two years in what they would have felt in the impacts of a breach.

Note, that we used the least-exposed type of company as an example. If you are a SaaS company and/or you hold a lot of sensitive information, this number exponentially increases. Just the cost of notification will be mid-six figures, not to mention the revenue hit due to brand reputation issues.

Hopefully, this illustrates a better way to calculate your cybersecurity budget. Too many organizations are underspending, which has led to the deluge of cyber incidents. The other advantage of increasing and spending your cybersecurity budget on proactive services is the ability to amortize the costs over a longer period, so you can engage a services company like CDG on a monthly basis, spreading those costs over a 12-24 month period. During and post-incident you will be paying a premium to get the same security controls implemented in a much shorter amount of time.

Building a business case for your security spending

We hope that in working through the exercise of the cost of a breach you’ll have much of the ammunition you need to argue the case to leadership of the importance of more security spending today to avert future (or additional) crises of tomorrow. After all, ~2MM spent today that saves you ~$16MM tomorrow seems like a solid argument for a robust security budget and demonstrates actual ROI. For those organizations working in cloud environments with highly sensitive, highly regulated data or a broad attack surface, the cost of a breach could be much higher.

For those whose leadership doesn’t live and breathe the cybersecurity industry and news, showcase for them the way that cyberattacks have become a real threat to modern-day businesses. Just witness the recent mayhem at MGM Resorts in Las Vegas, NV, where an attack shut down reservation systems and digital room keys. The actual cost to MGM was estimated to be over $100M. Cybercriminals can, amongst other things, introduce malware that can slow down or stop entire systems or initiate ransomware attacks. Remind the C-suite and BOD that these attacks can compromise your systems and cost your company lost productivity, reputational damage, and a significant financial downturn.

The only real option to survive today’s online environment is to have a strong cybersecurity defense program. This includes the investment in proper digital infrastructure, cloud technologies, comprehensive employee training, serious cybersecurity budgets and expert monitoring and auditing of systems. And all of this takes money. It’s vital to spend on cybersecurity today to avoid being a target of hackers tomorrow.

What goes into your cybersecurity budget?

Now that you’ve gotten the overall budget, what should you consider when building out the plan of where to allocate funds?

1. Generally, your line items that make up your cybersecurity budget will encompass three main buckets: people, processes, and technology. The people may be in-house personnel or external resources; the technology encompasses software and hardware, both cloud providers and for many enterprises, on-premises tech; and the processes can be anything from employee awareness training to audits and assessments.

   Within those broader strokes, a cybersecurity budget should consider the following elements, but of course taking into account your organization’s specific needs business priorities and capabilities and allowing for modification over time:

   • Personnel – you need the right team in place to keep your organization secure, whether that’s in-house security professionals or external, managed service provider assistance.
   • Technologies – to keep your infrastructure secure (be it cloud or on-premises or both) requires an investment in technologies. From firewalls to endpoint to multifactor authentication (MFA) solutions, your budget will need to account for them all.
   • Cybersecurity risk assessments & ongoing monitoring – risk assessments serve as a foundation for developing tailored security strategies and implementing necessary measures to enhance the organization’s resilience against cyber threats, ensuring the protection of sensitive data and critical assets. And ongoing monitoring can then identify new vulnerabilities and threats and protect against them as well.
   • Incident Response – it’s essential to have a thorough plan of action for what your organization will do in the event of a cyberattack in place before that attack occurs. That’s because:
   • The incident response plan allows you to get into action right away, and keep the damage to a minimum.
   • The lack of a well-designed incident response plan can also trigger greater government oversight in the aftermath of a cyberattack, as it paints a picture that your organization is unable to handle a scenario like this.
   • Compliance – organizations with data subject to strict regulations like HIPAA, GDPR, or CCPA need to ensure that they are meeting these regulatory standards, and put in place the proper people, technology and processes to do so.
   • Training – for truly comprehensive security, everyone in an organization needs to understand how to keep themselves protected from things like phishing and social engineering attacks. This is where training and an employee education program are key.
   • Cyber insurance – for a business that wishes to have cyber insurance in case of a breach, the cost of that insurance must be factored in.
   • Successful new business initiatives – it’s crucial to allocate sufficient funds for cybersecurity. As organizational priorities evolve and the business environment fluctuates, the ability to adapt and support new programs becomes paramount. Neglecting this aspect may lead to challenges such as the emergence of shadow IT. Therefore, it is imperative to have available resources that can be swiftly redirected to address evolving needs.

Cyber investments: Unlocking the path to ROI!

Cybersecurity is often viewed as a hindrance and a cost for businesses, but this perception is outdated in the 21st century. The truth is, that investing in a robust cybersecurity program brings undeniable returns on investment. It not only prevents costly breaches but also enables organizations to showcase the effectiveness of their security measures externally.

Like the safety features of a modern car—airbags, ABS, and collision avoidance—cybersecurity allows your organization to navigate the “information superhighway” with confidence, accelerating contract execution rapid growth, and revenue generation. Don’t underestimate the power of cybersecurity spending with a well-funded and resourceful cybersecurity program, it can propel your business forward.

Let’s summarize that ROI

Investing in cybersecurity tools can significantly mitigate the risk of data breaches and other cyber attacks, resulting in substantial cost savings for organizations. By reducing expenses related to investigation endpoint detection, remediation, and regulatory compliance, cybersecurity measures prove their worth. In fact, data breaches in the US alone have an average financial impact of $9.48 million.

Building customer trust and loyalty is crucial for business growth. When organizations take measures to safeguard customer data, it instills confidence in their minds. According to the 2022 Verizon Data Breach Investigations Report, a staggering 88% of consumers are more inclined to engage with transparent businesses and companies that openly address data breaches.

Enhanced competitive advantage. Smart cybersecurity spending can help organizations stay ahead of the competition in terms of data protection and managed security services. This is indicated by the $2 trillion market opportunity for cyber tech and managed detection service providers (McKinsey).

Investing in cybersecurity spending can yield a substantial return on investment for organizations, regardless of their size. By committing to cybersecurity measures, organizations can have cyber resilience, mitigate the risk of cyber attacks, do risk management foster customer trust and loyalty, and gain a competitive edge.

Final thoughts on cybersecurity budgets

Cybersecurity has evolved beyond a mere technical concern to become a crucial matter at the highest levels of management and organizational leadership. It is imperative for leaders to grasp the repercussions of inadequate cybersecurity spending and make well-informed decisions regarding security investments. They must acknowledge the significance of staying abreast of emerging threats and vulnerabilities, and place paramount importance on allocating resources necessary to establish a robust enough security posture and budget, thereby mitigating the risk of costly breaches.

Need help with your cybersecurity budget?

Hopefully, this article has helped you determine the amount you need for your cyber risks and services in your cybersecurity budgets, given you a few arguments to take to leadership to justify that spend, and offered a few thoughts on how and where best to allocate your dollars effectively. If you would like help with any part of this, in particular the use of our budgeting spreadsheet, please let one of the Cyber Defense Group expert cybersecurity advisors help walk you through this budgeting exercise with a FREE consultation.

We also created this handy ebook, “How Much Should You Allocate to Your Cybersecurity Budget?” for those of you interested in a deeper look at security spending. Enjoy!