{"id":31938,"date":"2019-12-25T13:48:21","date_gmt":"2019-12-25T18:48:21","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?post_type=emagazine&p=31938"},"modified":"2023-05-30T05:56:22","modified_gmt":"2023-05-30T09:56:22","slug":"business-it-security-budget","status":"publish","type":"emagazine","link":"https:\/\/www.kaspersky.com\/blog\/secure-futures-magazine\/business-it-security-budget\/31938\/","title":{"rendered":"Plan your business cybersecurity future with these two approaches to budgeting"},"content":{"rendered":"

Worldwide spending on information security products and services has been on the rise for years. According to Gartner<\/a>, it\u2019s grown from $114 billion in 2018 (an increase of 12.4 percent from 2017) to potentially more than $124 billion in 2019. What better time to join the trend?<\/p>\n

But perhaps more importantly, IT security leaders in enterprises also have high expectations: 72 percent say that their budget will increase in 2020. With more money invested in information security, one question remains: how are these investments shaped?<\/p>\n

The bottom line is this: there are two ways to decide your business\u2019s cybersecurity future:<\/p>\n

#1: Rely on your intuition and previous experience in similar situations or follow others\u2019 choices. That\u2019s a conventional approach.<\/p>\n

#2: Analyze your unique situation, break it down into small details, and try to calculate the probability of these details changing soon. This is a risk-based approach.<\/p>\n

Now let\u2019s take a look at these two approaches in detail, what they mean for operations, and one might be best for your business.<\/p>\n

Cybersecurity budget approach one: conventional<\/h2>\n

The most common approach to security budgeting is often based on today\u2019s immediate needs or previous experience, especially for growing companies who need the minimum and necessary cybersecurity measures and tools to focus on growth.<\/p>\n

For these types of organizations, budget planning is based on inheritance, where the current budget level maintains for several cycles with minimum changes. There\u2019s no practice of setting strategic IT security goals or assessing specific risks, and money is spent on emerging needs with ad hoc support. It\u2019s a happy-go-lucky approach.<\/p>\n

This approach will work unless you make any sudden business changes. For example, you might decide to bolster the digital side of your business or bring in a cloud-based service for CRM or accounting. These actions require you \u2013 in an ideal world \u2013 to rapidly increase your IT security budget and skilled personnel to protect from the threats the tech brings. Previously scheduled tasks and deployments get delayed and piled up for later.<\/p>\n

Unfortunately, this means more ad hoc spending, which may pile up. Why? Security spending may increase dramatically as whenever something unexpected happens; you\u2019ll need to solve it as quickly as possible, no matter the cost. At the same time, larger organizations with a more mature approach to risk management may end up with a smaller proportion of money spent on information security. So, that\u2019s number one.<\/p>\n

Cybersecurity approach two: risk-based<\/h2>\n

It\u2019s not surprising that in 2019, risk management expertise is cited as among the top three skills for information security chiefs<\/a>. Across the globe, mature enterprises operate with risk assessment at their core \u2013 IT and cybersecurity are no different.<\/p>\n

This isn\u2019t about trying to fix as many gaps as possible; it\u2019s about strategy. Firstly, look at critical business risks from cyberattacks \u2013 whether that\u2019s decreased service availability for customers, damaged reputation, lost business opportunities, or other direct financial losses. Then, you make risk calculations: multiplying the probability of an incident by the cost and deciding whether there\u2019s a need to implement IT security measures. For businesses with this mind-set, cybersecurity isn\u2019t a habit or a \u201cnecessary evil\u201d investment instigated by scary headlines; it\u2019s an appropriate action based on calculations.<\/p>\n

Every business is unique, which means they\u2019ll likely face specific types of cybersecurity risks. For a digital-led eCommerce firm, there\u2019s a good chance that a distributed denial of service (DDoS) attack \u2013 malicious attempts to disrupt servers by flooding them with internet traffic \u2013 could cause massive damage, both monetary and reputational. Whereas financial and government organizations would face penalties and fines if their systems were breached in an advanced cyberattack, so their budgets should focus here.<\/p>\n

Additionally, software developers and service providers can even be a target themselves, or a step in a supply chain attack against their customers. In other words, there are almost as many threat models as there are types of business, each with a specific and ever-changing set of risks.<\/p>\n

As risks always imply a certain level of probability, IT security expertise is becoming a crucial part of the risk assessment process. Here, cybersecurity experts \u2013 including external ones \u2013 can help evaluate possibilities and use their experience to make a positive impact.<\/p>\n

Finally, when a decision about purchasing a cybersecurity solution or service is made based on this approach, there\u2019s a transparent process of approval with higher management. This means avoiding situations where one IT employee forces a decision to prevent the most cost-effective and efficient solution but chooses another simply because, for example, they used to work with that platform in the past.<\/p>\n

Of course, the risk assessment process differs from one company to another, and it\u2019s continuously improving. Nonetheless, three key components \u2013 experts, risk evaluation and a transparent decision-making chain \u2013 remain essential to help make budget planning more effective. It\u2019s ultimately ensuring that the company\u2019s investments in IT security are in line with business needs.<\/p>\n

What lessons can your business learn?<\/h2>\n

\"it
\nPlanning a security budget is similar to car maintenance. As a car owner, you could roughly estimate the average sum for regular expenses, tires, tech inspection and other things. However, as a racing enthusiast, you know you literally need to \u2018kick the tires\u2019 in advance: prepare for the season and make sure you\u2019ll have enough budget for all car components (tires, brakes, etc.) that get worn out much faster on the track. This second approach is more mature and ultimately saves money. But it also demands expertise, time and dedication.<\/p>\n

All in all, here are a few considerations when approaching your IT security budget:<\/p>\n

Knowledge is power<\/h2>\n

When assessing risks, look at the threats most relevant to your industry and company size, then plan your budget accordingly. Access to the most up-to-date and tailored threat intelligence reports<\/a> is crucial.<\/p>\n

Embrace expertise<\/h2>\n

Whether you\u2019re calling on internal talent, external providers or both, they can help evaluate risk and the potential value of cybersecurity solutions and services. Most vendors offer a variety of training<\/a> to help organizations improve their level of internal expertise.<\/p>\n

Bring in the experts (if you need to)<\/h2>\n

Outsourcing is useful for organizations that don\u2019t yet have enough internal expertise or risk assessment processes. Have a guaranteed service level agreement (SLA) and move expenses from capital expenditure (CapEx) to operating expenditure (OpEx) to keep security spending under control.<\/p>\n

Try out different tools<\/h2>\n

While an industry benchmark alone isn\u2019t enough information to make a budget decision, tools like the Kaspersky IT Security Calculator<\/a> can provide threat information, measures and numbers that are worth exploring for organizations of a particular industry, size and region.<\/p>\n

When dealing with something as serious as corporate IT security (or racing at high speed), it\u2019s best to take time to prepare in advance, consult with experts and plan what to expect. Slow and steady wins the race, as they say.<\/p>\n

This article was published in December, 2019.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

Planning your IT security spend isn\u2019t easy. Here are two approaches your business could take and how they could benefit you. <\/p>\n","protected":false},"author":2540,"featured_media":31939,"template":"","coauthors":[3595],"class_list":{"0":"post-31938","1":"emagazine","2":"type-emagazine","3":"status-publish","4":"has-post-thumbnail","6":"emagazine-category-cybersecurity","7":"emagazine-category-finance-and-budgets","8":"emagazine-tag-finance"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/secure-futures-magazine\/business-it-security-budget\/31938\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/secure-futures-magazine\/business-it-security-budget\/21038\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/secure-futures-magazine\/business-it-security-budget\/16375\/"}],"acf":[],"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/emagazine\/31938","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/emagazine"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/emagazine"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2540"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/31939"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=31938"}],"wp:term":[{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/coauthors?post=31938"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}