Worldwide spending on information security products and services has been on the rise for years. According to Gartner, it’s grown from $114 billion in 2018 (an increase of 12.4 percent from 2017) to potentially more than $124 billion in 2019. What better time to join the trend?
But perhaps more importantly, IT security leaders in enterprises also have high expectations: 72 percent say that their budget will increase in 2020. With more money invested in information security, one question remains: how are these investments shaped?
The bottom line is this: there are two ways to decide your business’s cybersecurity future:
#1: Rely on your intuition and previous experience in similar situations or follow others’ choices. That’s a conventional approach.
#2: Analyze your unique situation, break it down into small details, and try to calculate the probability of these details changing soon. This is a risk-based approach.
Now let’s take a look at these two approaches in detail, what they mean for operations, and one might be best for your business.
Cybersecurity budget approach one: conventional
The most common approach to security budgeting is often based on today’s immediate needs or previous experience, especially for growing companies who need the minimum and necessary cybersecurity measures and tools to focus on growth.
For these types of organizations, budget planning is based on inheritance, where the current budget level maintains for several cycles with minimum changes. There’s no practice of setting strategic IT security goals or assessing specific risks, and money is spent on emerging needs with ad hoc support. It’s a happy-go-lucky approach.
This approach will work unless you make any sudden business changes. For example, you might decide to bolster the digital side of your business or bring in a cloud-based service for CRM or accounting. These actions require you – in an ideal world – to rapidly increase your IT security budget and skilled personnel to protect from the threats the tech brings. Previously scheduled tasks and deployments get delayed and piled up for later.
Unfortunately, this means more ad hoc spending, which may pile up. Why? Security spending may increase dramatically as whenever something unexpected happens; you’ll need to solve it as quickly as possible, no matter the cost. At the same time, larger organizations with a more mature approach to risk management may end up with a smaller proportion of money spent on information security. So, that’s number one.
Cybersecurity approach two: risk-based
It’s not surprising that in 2019, risk management expertise is cited as among the top three skills for information security chiefs. Across the globe, mature enterprises operate with risk assessment at their core – IT and cybersecurity are no different.
This isn’t about trying to fix as many gaps as possible; it’s about strategy. Firstly, look at critical business risks from cyberattacks – whether that’s decreased service availability for customers, damaged reputation, lost business opportunities, or other direct financial losses. Then, you make risk calculations: multiplying the probability of an incident by the cost and deciding whether there’s a need to implement IT security measures. For businesses with this mind-set, cybersecurity isn’t a habit or a “necessary evil” investment instigated by scary headlines; it’s an appropriate action based on calculations.
Every business is unique, which means they’ll likely face specific types of cybersecurity risks. For a digital-led eCommerce firm, there’s a good chance that a distributed denial of service (DDoS) attack – malicious attempts to disrupt servers by flooding them with internet traffic – could cause massive damage, both monetary and reputational. Whereas financial and government organizations would face penalties and fines if their systems were breached in an advanced cyberattack, so their budgets should focus here.
Additionally, software developers and service providers can even be a target themselves, or a step in a supply chain attack against their customers. In other words, there are almost as many threat models as there are types of business, each with a specific and ever-changing set of risks.
As risks always imply a certain level of probability, IT security expertise is becoming a crucial part of the risk assessment process. Here, cybersecurity experts – including external ones – can help evaluate possibilities and use their experience to make a positive impact.
Finally, when a decision about purchasing a cybersecurity solution or service is made based on this approach, there’s a transparent process of approval with higher management. This means avoiding situations where one IT employee forces a decision to prevent the most cost-effective and efficient solution but chooses another simply because, for example, they used to work with that platform in the past.
Of course, the risk assessment process differs from one company to another, and it’s continuously improving. Nonetheless, three key components – experts, risk evaluation and a transparent decision-making chain – remain essential to help make budget planning more effective. It’s ultimately ensuring that the company’s investments in IT security are in line with business needs.
What lessons can your business learn?
Planning a security budget is similar to car maintenance. As a car owner, you could roughly estimate the average sum for regular expenses, tires, tech inspection and other things. However, as a racing enthusiast, you know you literally need to ‘kick the tires’ in advance: prepare for the season and make sure you’ll have enough budget for all car components (tires, brakes, etc.) that get worn out much faster on the track. This second approach is more mature and ultimately saves money. But it also demands expertise, time and dedication.
All in all, here are a few considerations when approaching your IT security budget:
Knowledge is power
When assessing risks, look at the threats most relevant to your industry and company size, then plan your budget accordingly. Access to the most up-to-date and tailored threat intelligence reports is crucial.
Whether you’re calling on internal talent, external providers or both, they can help evaluate risk and the potential value of cybersecurity solutions and services. Most vendors offer a variety of training to help organizations improve their level of internal expertise.
Bring in the experts (if you need to)
Outsourcing is useful for organizations that don’t yet have enough internal expertise or risk assessment processes. Have a guaranteed service level agreement (SLA) and move expenses from capital expenditure (CapEx) to operating expenditure (OpEx) to keep security spending under control.
Try out different tools
While an industry benchmark alone isn’t enough information to make a budget decision, tools like the Kaspersky IT Security Calculator can provide threat information, measures and numbers that are worth exploring for organizations of a particular industry, size and region.
When dealing with something as serious as corporate IT security (or racing at high speed), it’s best to take time to prepare in advance, consult with experts and plan what to expect. Slow and steady wins the race, as they say.
This article was published in December, 2019.