What is the right amount to spend on cybersecurity?  Gartner reports average spend of 5-8%, but a CIO survey showed closer to 15% of the IT budget with almost a quarter of the respondents allocating more than 20% of their IT budget to securing their data.

Now that most organizations have secured the network perimeter, focus is shifting to look for real-time analysis of activity and risks within the network.  The starting point is often 3rd party testing to find vulnerabilities that could be exploited so they can be remediated before a hacker discovers them.  Aligning security to a known framework can help identify gaps in the organizations controls, policies and procedures that could leave you vulnerable.  Two of the key areas where gaps most often exist are detection and response.  Using a known framework allows for setting a baseline and then regularly measuring progress as you prioritize solutions for filling your gaps based on how much they will reduce risk, compliance requirements, and budget.What is the value of the data you need to protect? Consider the value of your client list, donor information, proprietary pricing models, plans or recipes – even your reputation if you were breached. Online breach calculators can also provide estimates of what an incident will cost so you can look at the return on investment to lowering your risk.

Could you be spending too much on cybersecurity?  Probably not, but it is possible – especially if you are spending in a way that doesn’t really reduce your risk.  For example, replacing a next-generation firewall with another model that doesn’t add any new features for protection because your IT staff or vendor prefer the other model.  Paying for a Security Information and Event Management (SIEM) tool when no one is looking at the alerts it generates, or even paying a Managed Security Services Provider (MSSP) to monitor the network if you aren’t monitoring the right assets to detect potential threats or if your monitoring floods you with false positives and the alerts become white noise. Even your cyber insurance can be a bad investment if the policy has not been closely reviewed and tailored to cover your actual risk and limit the exposure from a cyber incident.

While there is no set answer to how much you SHOULD spend to secure your data, one thing is clear, the answer should never be zero.