It is almost always less expensive to prevent a cyberattack than to repair the damage after one occurs. Still, many enterprises compile cybersecurity budgets with critical omissions that can leave the organization vulnerable to significant financial damage.
Every organization, regardless of its size or focus, should create a rational, accurate cybersecurity budget. "Budgets bring an element of reality and practicality to just about everything," says Humayun Zafar, a professor of information security and assurance at Georgia's Kennesaw State University.
Zafar notes that despite enterprises' best efforts at protecting systems and resources, cybersecurity incidents continue to grow rapidly. "Budgets cannot rise at a level that's comparable to the rate at which these threats are happening, let alone evolving," he warns. It's therefore imperative that organizations invest intelligently in cybersecurity. "Everything cannot be secured, so prioritization is key," Zafar says.
Here's are seven key cybersecurity budget items that planners often overlook or fail to realistically address.
1. Staff acquisition and retention
Defying a long-term trend, many organizations continue to underestimate the cost of hiring and retaining skilled cybersecurity professionals. "Over the past several years, there has been a steadily widening gap between qualified professionals and the exponential growth in the number of jobs," says Carolyn Schreiber, cybersecurity principal at business advisory firm EY Consulting. "Simply put, the competition remains fierce and the war on talent continues." As a result, many organizations find themselves blowing out their hiring budget as they struggle to recruit and retain qualified cybersecurity experts.
There’s a continued shortage of cybersecurity talent that far predates the COVID-19 pandemic, observes Deborah Golden, US cyber and strategic risk leader for business consulting firm Deloitte Risk and Financial Advisory. "If your organization can recruit skilled cyber talent—even if intending to keep that talent forever remote—do it," she urges.
2. Cloud spend
Cybersecurity-related cloud spending is often underestimated or not well managed, says Ted Wagner, CISO at SAP National Security Services (NS2). "Frequently, cloud spend isn't centralized and many units within an organization initiate testing or development in cloud environments without proper controls," he notes. Excessive spend on cloud services can turn what was originally thought to be an inexpensive, perhaps even budget-conserving project into a serious drag on financial resources.
Cloud budgets should reflect real-world pricing while anticipating the additional cost of individual business units trialing and testing cloud-based security tools. "Across a large organization, these incremental costs can add up quickly," Wagner cautions.
3. Third-party advice and analysis
Enterprises often neglect to budget for third-party vulnerability testing, as well as for consultants to advise managers and staff on potential cyber threats. "It's good to have a bigger budget here so that you can elicit help from more than one company to ensure you're getting 360-degree advice," suggests attorney Sarah Bruno, a cybersecurity partner at international law firm Reed Smith.
An organization may resist paying extra for multiple external insights because it has complete confidence in its current cybersecurity environment or because it works with the same security consultant each year on a set budget. Yet such reasoning is usually shortsighted. "It's good to have inputs from different security firms, especially for more sensitive data, to help spot new threats and also to ensure that you have the appropriate technical, administrative and physical safeguards in place," Bruno says.
4. Incident response
Incident response (IR) is typically an overlooked cybersecurity need, but particularly when it comes to budgets, says Joseph Kirkpatrick at cybersecurity auditing and testing firm Kirkpatrick Price. He notes that when an enterprise is victimized by a data breach, a carefully planned IR strategy can save the organization from potentially devastating financial losses. "Putting in the time to hire and train a group that's responsible for incident response will pay off," Kirkpatrick advises.
Despite the inherent risk, enterprises continue to fail to budget realistically for IR expenses, says Rudy Bakalov, vice president of cybersecurity strategy at management firm Booz Allen Hamilton. "With all the examples in the press of massive organizations—presumably with mature security programs—being compromised, it's difficult to imagine why organizations don't plan better for indirect costs like ... retaining/building out IR capabilities," he notes. "Perhaps they believe their organization is too big—or too small—to be a target, or they are playing the odds it won’t happen to them."
The consequences of failing to address indirect cybersecurity costs such as IR are no less important than not adequately accounting for direct costs, especially in the area of incident response, adds Christopher Smith, a principal in Booz Allen Hamilton's commercial cyber practice. "Not having a retainer for IR services ... could result in an event such as ransomware being protracted unnecessarily, thus creating greater business disruption, loss of customers and reputation damage."
5. Replacement cost
When judging the replacement cost of potentially vulnerable assets, many enterprises take a decidedly myopic view of which systems might be impacted by a breach or malware, limiting replacements only to the most vulnerable systems. "From a dollars and cents perspective, this results in losses that far exceed any projections an organization may have," Zafar says. "The level of criticality would be reliant on the scope of the cybersecurity breach."
The recent shift to at-home work raises the replacement cost stakes, leaving pre-pandemic estimates in the dust. Neglecting the replacement or upgrading of vulnerable home systems is courting disaster. "If home systems are impacted, those systems may inadvertently reintroduce a vulnerability in the corporate network, even if an organization has fixed the issue on its end," Zafar cautions.
6. Cybersecurity training
Many of the top cybersecurity risks originate internally. "Many companies acknowledge that employee behavior is a major source of risk," says Jacob Koering, an attorney who leads the cybersecurity and data privacy practice at law firm Miller Canfield. "Yet these same companies drastically underfund, or even ignore, employee training and insider threat needs," he adds.
Koering says that a well-run cybersecurity program ensures that employees are aware of their cybersecurity obligations and reinforces that awareness with internal monitoring to ensure that malicious actors are quickly detected and caught.
7. Cyber insurance
Many enterprises haven't yet recognized the need for cyber insurance—an oversight with potentially dire financial consequences. "It's ironic that despite the growing cyber threats, many companies do not budget for cyber insurance," says Nir Kshetri, a professor in the department of management at the University of North Carolina-Greensboro who writes and speaks frequently on security and cryptocurrency issues. "As of 2020, less than 20% of small businesses in the US had bought cyber insurance," he notes.
Without cyber insurance, organizations may not be able to protect themselves against significant cyberattack-related losses, Kshetri warns. Besides protecting enterprises from a potentially devastating financial hit, simply applying for cyber insurance can lead to a stronger cybersecurity infrastructure. "Cyber insurance expresses a cyber-risk in terms of a dollar value," he states. "The cyber insurance underwriting process can thus help [organizations] identify cybersecurity gaps and provide opportunities for improvement."