Insight

Cyber Security Spend – Our Point of View 

Growing graphs and charts with statitics

How Much Should We Spend on Cyber Security? 

This is a frequently asked question and not an easy one to answer. Why? Several factors will influence your decision-making. In this blogpost, we will offer our opinion, based on years of experience building effective cyber programs for our clients, responding to a very large number of incidents, and significant efforts monitoring the threat landscape development. 

The Dilemma of Budgeting for Cyber Security 

The last point is important to remember when budgeting because there is a built-in dilemma. Organizations typically have their annual operating rhythms and their levels of processes and bureaucracy. At the same time, the attacker can change modus from one day to the next. 

Hence, how you invest and spend cyber security money needs to factor in the nature of the operating environment. A way to counter this is to budget a “to-be-allocated” pool for each year’s unforeseen developments. This is not frequently done in financial planning for Security, but we can see clear benefits. If not allocated directly in the Security budget, it can be a good conversation with Finance. 

Defining the Right Spend 

So, how much should you spend? There are different ways of answering this question. 

First of all, a clear success criterion is to clearly articulate a cyber risk appetite or target maturity state. Unless you secure agreement within the ranks of the organization—from the Board, whose job it is to define risk appetite not only for cyber but overall, to the Security team—there will be misalignment of funds and risk of inefficiency of CAPEX and OPEX allocation. 

Begin with a Cyber Maturity Assessment 

We typically advocate that organizations perform a Cyber Maturity Assessment to start the target state conversation, which also will lead to the answer to the “How much should we spend?” question. 

Key Aspects of the Assessment: 

Assess Current State 

  • This assessment should not only focus on the current state but also include peer benchmarks and an informed position on a proposed target state. 

Understand the Threat Landscape 

  • What are we protecting against? It is imperative to define what is typically called the dimensioning threat. 
  • When we know this, we can also design the correct capabilities. 

Create a Prioritized Roadmap 

  • The assessment report should include an overall design. 
  • Or in other words, which capabilities do we need to have to defend against the threats? 
  • This design should be pulled down onto a prioritized roadmap, typically spanning over 2 years. 

Analyze Current Spend 

  • The Cyber Maturity Assessment should also include a spend analysis. 
  • How much are we spending today to give us our current cyber maturity? 
  • Unless you know the answer to this question, how can you possibly conclude what a target spend should be? 

Include Cost of Outage Metrics 

  • If you also include the cost of outage per day in the initial assessment, you will get a better perspective and have something to hold the cyber security budget up against. 

Aligning Budget with Risk Appetite 

The objective of the cyber security budget is to minimize operational loss and, of course, also limit regulatory exposure and reputational risk, etc. 

Then it is time to decide the cyber risk appetite. In essence, you agree on a target maturity state and add the budget you are willing/able to spend to limit your financial exposure from outages, etc. 

General Benchmark for Spending: 

  • As a general benchmark, when we design cyber security programs, we often arrive at 8-10% of the IT budget to deliver a robust but not perfect cyber security program that can defend against the dimensioning threats. 
  • Some organizations have very complex IT estates and/or are very exposed to advanced threats and may require more spending. 
  • Some organizations can afford to spend less. 

How Should an Organization Distribute Cyber Security Spend? 

This is a key question. It is not only about the amounts. It is equally important to get the distribution right to deliver the best possible value for money. 

Often, when we discuss budgets with our customers, we use the NIST CSF key capabilities as a vehicle for the conversation. 

Key Insights on Budget Distribution: 

  • From our post-breach lessons learned, we know that investment in Detect & Response capabilities (EDR/XDR-based) together with spend on immutable backups are always well-spent money. 
  • When looking at overall budgets, we also frequently see +90% of total spend already allocated on headcount, infrastructure, software, and partner contracts. 
  • This also means that the CISO has very little room to counter a changing threat landscape during the fiscal year. 

In summary, as an integrated part of financial planning, it is good to also look at the distribution of spend and use threat intelligence and real-world incident expertise to inform your priorities for the coming year. 

How Do I Maximize Value for Money? 

This is a question for many CISOs today. Over the last 5 years, many CISOs have seen budgets increase year over year. But times have changed for many, and now we see many budgets being flat or being included in organization-wide cost-out programs. 

This means that CISOs effectively need to do more with less. At the same time, we also see many CISOs spending a lot of effort and budget on constant back-fill hiring, interim consultants, coordination of suppliers, etc. 

Designing a Clear Sourcing Strategy 

One way to maximize value for money is to design and adopt a clear sourcing strategy. 

Key Considerations: 

  • Organizations that clearly define what they run in-house and then seek real partnerships with strategic partners are more likely to maximize output. 

Final Thoughts 

Interested to learn more about financial planning for cyber security? Please get in touch. We are here to help you get both capabilities and numbers right.