By Stephen M.W.
Preparing and approving the cybersecurity budget is one of the most important responsibilities for IT security executives. The budget has a direct impact on the organization’s ability to avoid or overcome cyberattacks. But the cybersecurity landscape is complex and fluid. So, there is always a real possibility of not seeing the full picture of risks set against the enterprise. If the cybersecurity budget fails to adequately cover all key bases, the organization may be forced to spend much more on remedial measures later on to contain a successful cyberattack. While the more obvious cybersecurity expenses are crucial, it is important that you do not lose sight of the not-so-obvious ones, including the following.
1. Employee costs
Staff costs are perhaps one thing you would not expect to fall through the cracks. Yet, a surprising number of decision-makers do not incorporate employee expenses in their cybersecurity budget. Sometimes, the assumption is staffing is something to be dealt with separately. This is, however, a potentially costly mistake.
Cybersecurity experts don’t come cheap. For years now, there remains a large shortfall of qualified IT security personnel when compared to industry vacancies. This deficit is expected to linger for years. Naturally, this means the average remuneration of cybersecurity professionals will continue to rise.
But this is not the only aspect of employee costs that should be in the cybersecurity budget. Employee budget costs should include the staff training expenses meant to address malicious behavior, negligence, or user mistakes.
2. Incident response
Incident response is another cybersecurity expense that does not always get the budget attention and allocation it deserves. Perhaps that is because, for most organizations, significant and successful security incidents do not occur on a weekly, monthly, or even quarterly basis. It is easy for incident response to be relegated to the backburner and treated as an afterthought.
It is only when a cyberattack occurs that the organization scrambles to allocate funds to incident response. This approach to incident management is a missed opportunity. A well-thought-out and appropriately funded incident response strategy can reduce or limit the financial loss resulting from a cyberattack.
The cost of incident response should include incident plan review, staff training, and software procurement.
3. Underestimating resource replacement
When contemplating resources that could be compromised or destroyed following a cyberattack, cybersecurity decision-makers will focus on mission-critical systems. Estimates of replacement costs are calculated with these sensitive, vulnerable systems in mind. And to a great extent, this would seem like the right thing to do.
However, attacks on the less sensitive and less vulnerable systems could still significantly impair the organization’s ability to operate and meet its obligations. Without factoring these systems in resource replacement costs, the business is bound to have a difficult time quickly restoring operations to at or near normalcy.
Organizations are not always fond of consultants and often believe it is a luxury when it comes to cybersecurity expenses. There is a sense that consultants are paid exorbitant fees for stating the obvious. But consultants are a necessary evil, especially in the realm of cybersecurity. When a cyberattack occurs, few organizations will have the expertise internally to contain and resolve the incident on their own.
There will be a need to rope in third parties who have a deeper understanding of that type of attack and can provide experience-based guidance that leads to speedy and conclusive resolution. Without setting aside a budget for cybersecurity consultants, the business response may be severely constrained. Every minute that the attack remains unresolved is more time for cybercriminals to achieve their nefarious goals.
Many organizations are starting to look at cyber-insurance as a key component of their cybersecurity strategy. Yet, a surprisingly large number of enterprises do not see cyber-insurance as of sufficient importance to be included in their cybersecurity budget.
The absence of cyber-insurance means the organization has to bear the entire financial loss and costs resulting from a breach. So useful is cyber-insurance that is still helpful even if you do not end up signing up for the policy. The underwriting process itself can identify security gaps. Filling these gaps can improve your security environment whether or not you do eventually subscribe to the insurance policy.
6. Cloud security services
Gone are the days that you need to do everything security-related in-house. The computing environment has changed dramatically over the last few years. Cloud servers are the enterprise norm. So if you run a large organization or have a limited number of cybersecurity staff, you should consider including setting aside a budget for security as a service.
This reduces the burden on your cybersecurity staff while allowing you to tap into the expertise of a team with broad experience in cloud security. In the absence of cloud security, your security employees could be stretched thin and struggle to stay on top of cloud computing risks.
7. Change management
Change is a fact of everyday living. This holds true for cybersecurity as well. You not only have to contend with the security concerns of your existing setup but also accommodate the costs of the evolving cybersecurity landscape. The new scenarios may call for a new security stance, and this will require additional spending.
Instead of waiting until these new scenarios unfold, it’s prudent to set aside a budget for change management from the get-go. The costs would cover everything from strategy shifts and process changes to software upgrades and training needs.
What you spend on is as important as how much you spend
While increased spending on cybersecurity is a positive, the strength of protection is not solely a factor of the total amount of money spent. Knowing what to spend on is the real challenge. A comprehensive security budget does not have to be backed by truckloads of cash to be effective. It does, however, require identifying and addressing all the key risks.
There’s never an assurance of 100 percent protection. Nevertheless, your best bet is in deploying a dynamic, multifaceted risk-based cybersecurity budget. With that, there is a lower risk of any critical component falling through the cracks.
Stephen regularly writes about technology, business continuity, compliance, and project management for TechGenix. He’s worked with companies such as Canva.com, EnergyCentral.com, and Citibank.