Getting Strategic with Security Budget Planning

Take time to consider direct and indirect costs as you plan for 2021 security technology investments.

agility
AT&T

The year 2020 catapulted cybersecurity from a technology problem to a business issue. Now, when organizations plan for digital transformation, leading with security is the norm. And because it's now top of mind for business and technology leaders, cybersecurity should be a significant part of every budget — factoring in necessities such as tooling, consulting services, training, updates, new licensing, and even an insurance policy.

However, as budgeting traditionally occurs in silos, security leaders are still concerned the committed spend will not be sufficient. A recent AT&T Cybersecurity poll showed that nearly one-third (28%) of cybersecurity professionals are concerned about the prioritization of security investments.

As we near the end of the year, a time when security budgets are often reassessed, let's take a look at common direct and indirect security costs — and how organizations can get strategic with their security spending.

Planning for Unexpected Disruptions
One of the most frequently overlooked direct cybersecurity costs is what organizations have been experiencing since early 2020 — the unexpected disruption and associated expenses as a result of the pandemic. In March 2020, when homes became offices and employees became remote workers, organizations struggled with unexpected cybersecurity expenses such as basic cybersecurity training, extra VPN licenses, extra licenses for secure email gateways, additional managed security services, and other typical cybersecurity budget line items.

Other unexpected, but very real disruptions include a cyberattack and its necessary remediation, unexpected business growth — either organically or through acquisition – and rapid change to accommodate competitive business initiatives.

Planning and budgeting for such disruptions is something a well-organized and strategic company considers as an unknown reality on a yearly basis. Organizations should use a strategic planning process to determine possible events that are likely and unlikely. Understanding where business risk may creep in over the course of the year helps organizations have a realistic budget that can help to successfully survive disruptions.

Failure to plan for the unexpected disruption can have dire consequences. For example, some businesses experiencing erosion from more nimble competitors could not adapt during the pandemic. Among other issues, the switch to everything remote, virtual, and touchless accelerated the decline of these businesses. Formerly stalwart brands have either gone out of business completely or are in restructuring mode.

Crisis Management
On the other side of the coin lie indirect security costs. The most overlooked indirect cybersecurity cost is directly related to unexpected disruption: crisis management. In the event of a disruption, organizations may need crisis experts such as outside cybersecurity professionals for remediation of issues, the last resort of payment for a ransomware attack, or other expenses.

Many organizations fail to think about a crisis situation and its remediation tactics. Planning for a crisis is not a failure — it's being realistic and strategic. Failing to plan for a crisis as part of an unexpected disruption can cause loss of customer loyalty, shareholder confidence, tarnishing of the brand, and ultimately, the business. While it's true that planning for a crisis may cost a company more day-to-day (depending on the amount of work done, the industry, and the geographies to be covered), it is still far more cost effective than being unprepared, which can cost up to millions of dollars in mitigation and potentially hundreds of millions in reputation and shareholder value.

Cybersecurity is no longer an isolated technical team or issue; it's a business enabler. Organizations that update business models to include cybersecurity as part of a strategic planning process may be able to withstand unexpected disruptions better than organizations that view cybersecurity as simply a technical problem to be solved.

Need help planning for cybersecurity in 2021? AT&T Cybersecurity Consulting provides strategy and cyber risk assessment services

Related:

Copyright © 2020 IDG Communications, Inc.