4 Steps to Quantitative Cybersecurity Budgeting
Traditionally, many organizations have devoted a particular dollar amount or budgetary percentage to cybersecurity without fully understanding what it is they need to protect and how well it's currently protected. Often, they'll follow generalized recommendations or base their budgets on what others in their industry are spending. This leads to wasteful spending in some areas and underinvestment in others.
Using a quantitative budgeting process helps organizations avoid guesswork, determine which security tools are really necessary, and understand how much they should be spending to protect each asset. Additionally, a quantitative process helps security professionals properly translate security risks into business risks and demonstrate how cyber risks impact the organization as a whole -- which are key to getting buy-in from non-technical stakeholders.
1. Perform an asset inventory and determine your current cybersecurity posture.
For the moment, forget about dollars and percentages. Perform a complete IT asset inventory, including both tangible and intangible assets, and categorize each asset according to its sensitivity and its importance to the functioning of the business. Asset classification can be done in a number of ways. Many organizations classify data assets according to how sensitive the information is, such as public, internal, restricted, and highly confidential.
With your asset inventory in hand, you can determine your organization's cybersecurity posture, or how well your organization's assets are currently protected.
2. Determine your organization's risk appetite.
Cybersecurity is all about reducing risk, which is why the second step in the budgeting process is to determine your organization's risk appetite. This is a collaborative endeavor that involves the entire executive management team and other key stakeholders. The company's leadership must take multiple factors into consideration, including the organization's existing risk profile, its risk capacity and risk tolerance, and organizational attitudes towards risk and returns.
3. Calculate your security budget according to your assets, potential losses, and risk appetite.
Finally, it's time to start thinking about dollars and percentages. An organization's cybersecurity budget should be aligned with how much the organization stands to lose after a cyber attack and how much risk the organization is willing to take.
4. Use key performance indicators (KPIs) to measure effectiveness.
Setting up KPIs enables organizations to quantitatively measure the effectiveness and value of their cybersecurity investments, as well as demonstrate their value to company leadership. While there is no authoritative list, common security KPIs include number of intrusion attempts over a specified period, the mean time to detect (MTTD) a potential security incident, and average cost per security incident.
Cybersecurity Budgeting Mistakes to Avoid
Thinking you need to spend more -- or less -- based on what other companies are spending.
Don't base your organization's security spending on what other companies in your industry are doing. You're securing your organization, not theirs. Your company's asset inventory and risk profile could be wildly different -- not to mention, your competitors may not have used a quantitative process to come up with their security budgets!
Thinking that more money automatically equals better protection.
Don't think that spending gobs of money on the latest and greatest security tools will make your organization impenetrable. There are many solid products on the market that can significantly reduce your cyber risks, but that's all any product can do: Reduce risk. There is no such thing as eliminating it completely, which is why determining your organization's risk appetite is a critical part of the budgeting process.
On a similar note, before purchasing any security solution, be sure you have the in-house expertise and resources to devote to it. The best security products on the market are only as good as the humans who configure and monitor them.
Thinking that cyber insurance will cover all of your losses.
Cyber insurance is a sound investment to mitigate the costs of a cyber attack. However, primarily due to the stratospheric rise in ransomware costs, cyber liability premiums have spiked as much as 300%. 1 Insurance companies have also started imposing "sub-limits" and co-insurance provisions on ransomware incidents, tightening underwriting guidelines, and imposing coverage limits on industry sectors that are at high risk for ransomware, including manufacturing, education, healthcare, and public sector organizations.
Bottom line: Insurers are making organizations shoulder far more of the risk of a ransomware attack than they did in years past. Instead of depending on cyber insurance, invest in proactive measures to prevent ransomware attacks from happening in the first place, such as:
- Performing regular system backups, which are essential for recovering data after a ransomware incident -- as well as other catastrophes, such as hardware failures or natural disasters.
- Training employees to avoid social engineering scams, especially phishing. Cyber criminals use phishing emails to deliver ransomware and other malware directly, as well as to harvest login credentials so that they can get a foothold in the network.
- Securing company passwords, which are arguably the biggest threat to organizational cybersecurity. About 75% of ransomware attacks involve compromised passwords. 2 Make sure your organization has a comprehensive password security policy that mandates the use of strong, unique passwords on every account and multi-factor authentication (2FA) wherever it's supported.