How much should your organization be spending on cybersecurity? It’s a question that seems like it should have a simple answer—it’s virus protection, it’s a firewall, etc., and these items may already have a line on your IT budget. If you need more protection, you can just add more money to that line, right?
Well, yes and no. Throwing more money at your cybersecurity needs can work, for a time. But eventually the return on your investment will start to wane, and more money will only get you incremental—if not nonexistent—improvement in your cybersecurity. Simply put, you could put every dollar you have toward cybersecurity and never get your cybersecurity risk down to zero.
Finding this sweet spot where you’re protecting your business appropriately but not spending needlessly is what we call the intersection of risk and investment.
Any amount left of that intersection is underspending on cybersecurity. Any amount to the right is overspending, and any risk there is probably better covered through a cybersecurity insurance policy. This intersection will be in a different place for each organization.
How do you find your intersection of risk and investment? To start, you’ll need to understand how to align your cyber strategies with both your industry and your business risks.
Cybersecurity Budgets by Industry
Different industries have different inherent risks when it comes to cybersecurity, so it’s important to know what is a typical budget for a business of your size in your industry. With the help or research published by industry leaders, we’ve created a calculator that will break down how much you should be spending on cybersecurity as a percentage of your IT budget.
Our cybersecurity budget calculator can help you determine what you should be spending on cybersecurity based on your industry.
Aligning Cyber Risk and Business Risk
Now that you have an idea of what your budget could be, the next step is to figure out exactly what you should be spending that money on. As the intersection of risk and investment showed, you’ll never get your risk to zero, so the key here is to put that money into protection that covers your most important business risks.
It’s crucial to understand that “business risk” here refers to risks to your overall business objectives or priorities, not specifically IT or information security risks. When you map your cybersecurity to your business risk, you can strategically invest in the areas that matter the most to your company, and in some cases can actually lead to reduced spending on cybersecurity.
At Eide Bailly, we work with our strategic partner Secuvant to identify risk in seven key areas for businesses, which we call the Cyber7™:
This helps businesses not only define where to put their cybersecurity budget, but also when and how to spend it.
Getting the Right Expertise
Finding your intersection of risk and investment is a lot easier when you have professionals who can help you work through understanding your risk. But as many businesses will attest, hiring and retaining information security staff can be tough, and expensive.
Outsourcing is a great option to look at to bring qualified, extensive cybersecurity expertise into your organization without as much cost. It’s important to clarify that this outsourcing does not replace your IT department or its activities. Rather, it’s an opportunity to enhance and compliment those efforts without straining budgets.
A virtual information security officer can work with your executive team to explain cybersecurity in terms of business risk, facilitate strategic decisions and help deploy them across your organization. Critically, a virtual information security officer working with your executive team can help your organization understand one of the most fundamental aspects of cybersecurity: cultivating a culture of security.
The Importance of Culture
Cybersecurity is not simply a tool you put in place. The best cybersecurity plan is one that helps everyone in your organization understand they play a role in protecting the company. This culture of security requires a top-down approach—your staff need to see that cybersecurity is being taken just as seriously by management as it is in the IT department. Are your executives taking the same security training as everyone else? Is cybersecurity part of their everyday routine, so that when they turn on their computer they understand the risks they face and act appropriately? Without that kind of buy-in, a culture of security cannot take hold, and your cybersecurity budget is not gaining its full potential.
When you combine your intersection of risk and investment with an organization-wide culture of security, you’re putting up your best defenses against cyberattacks. You’ll be spending your cybersecurity budget protecting the mission-critical aspects of your business, freeing up dollars—and time—to focus on your goals. While you can never buy your way down to zero cybersecurity risk, you can attain the next best thing—confidence in your defenses, and your team.
Take a deeper dive into this Insight’s subject matter.Cybersecurity