How to Budget for Cybersecurity

Lucas Morris
| 6/8/2016

Budgeting for cybersecurity is a concern for organizations worldwide. Already this year, we've seen several prominent government and business officials push to expand the capabilities and budgets of their security teams. Even President Obama weighed in on the discussion in early February with his announcement of the Cybersecurity National Action Plan, which included an expanded budget for U.S. government computer systems and focuses on technology security. 

Over the past several years, we’ve often been asked by clients how their spending on cybersecurity and capability and maturity compares with other organizations. Clients also want broad recommendations on how they can more effectively understand and budget for their cybersecurity needs without vastly increasing their spending. 

Budget considerations

With the hackers and threat actors getting more sophisticated each day, we often find ourselves telling clients that there is no magic percentage they should be spending on security. Instead, we counsel clients that they should consider the following to better determine their specific needs: 

  • Legacy systems update costs. First, it’s critical to identify what it will take to secure your organization’s business systems. If you’re “an Atari game in an Xbox world” as President Obama noted in his opinion piece, “Protecting U.S. Innovation From Cyberthreats,” then you may need to focus on these legacy systems first. Many of the clients I work with have business systems that are several years out of date. However, given the size, effort, and cost of a modernization project, they look for other ways to secure these systems. The IT or cybersecurity teams find ways to provide additional security, often through the use of passive monitoring solutions such as an intrusion detection system (IDS) or security information and event management (SIEM). In some cases, this is sufficient, but management should have a conversation to determine whether an upgrade to some or all systems is merited given the security risks to the organization. 
  • Network security appliance costs. Many organizations look to various appliances to help enhance their internal network security. This may be because they are unable to hire enough professionals to meet their security team requirements, or because they have specific needs for their organization. When budgeting for the purchase of network security appliances, capital costs are not the only consideration. You also must ensure that employees have sufficient time to fully tune and install a solution. For example, a data loss prevention (DLP) system includes default rules and matching expressions for common data, such as Social Security and credit card numbers, but may not include rules specific to your organization. A SIEM solution may include default rules and reports, but the thresholds for these rules may not be set appropriately for your organization. At times, especially for complex solutions such as a DLP system, the time to research and tune a solution may take as long as the installation itself. 
  • Lower-cost solutions. Beyond new appliances and upgrades, other projects can be undertaken to greatly increase the security posture of an organization. Projects such as increasing Active Directory® password requirements, differentiating reused passwords and service accounts, segmenting an internal network, reviewing group memberships, and restricting share permissions can each have a major impact on the effective security of an organization. However, these projects may take a large number of hours to complete, even if their capital cost is low.

Careful consideration of how to secure your legacy business systems, what, if any, network security appliances are needed, and which lower-cost solutions can be implemented will give management a better idea of what their needs are in terms of a cybersecurity budget. Once these needs are mapped into the organization’s long-term plan, the available capital can be allocated for new development. When the budget for new projects is combined with the budget for ongoing maintenance and monitoring requirements, an organization will be able to determine its annual budget for both people and money.

Beyond the budget

It’s also critical that the cybersecurity team have seats at the table when business systems are discussed. All too often, non-IT employees see cybersecurity controls as a hindrance to their day-to-day jobs. The chief information security officer, vice president of IT, or chief information officer should be included in the decision-making process to offer the needed expertise to determine which updates, new technology, and new projects are really necessary. For organization leaders, making well-informed decisions about security requirements will give them more confidence when establishing their cybersecurity budget.

Active Director is either a registered trademark or trademark of Microsoft Corp. in the United States and/or other countries.