While Kaseya’s Annual IT Operations Report confirmed that security is a top priority for IT professionals, about 1/3 of the respondents reported insufficient resources to meet demands. If you also fall into this category, what can help you get the budget you need?
1) Start with a reality check. How does your budget compare to others? Check surveys and reports to get an idea of where you fall. How much of the IT budget is dedicated to security? In general, 10-15% is the average (Source: Deloitte in May 2021).
- Financial Utility: $4,375 per year per employee.
- Service Providers: $3,266.
- Banking: $2,688.
- Consumer/Financial (nonbanking): $2,348.
- Insurance: $1,984.
2) What’s at risk? Exposure of protected consumer, financial or health data can result in six-figure regulatory fines and potential litigation costs and judgments. Online cyber breach risk calculators can provide eye-opening estimates around the costs related to a breach. The reputational damage of exposed financials, client lists, pricing models, or other sensitive or proprietary information is harder to calculate – hackers may demand millions in extortion payments if they gain access to data that you don’t want them to expose publicly.
3) What is already in place? Take a close look at the investments you have already made. Could your cloud service(s) be upgraded to add multi-factor authentication or encrypt data? Have you implemented all of the security features of your endpoint solution, your firewall, and your Office 365? Guidance can be found in the Center for Internet Security Controls, with an estimated 85% of cyber incidents preventable by implementing just the six Basics.
4) Use a recognized cyber framework to make sure you have all the bases covered. Have you invested all of your resources on technical controls but no funding for educating users on threats like Business Email Compromise that can use telephone calls to steal their credentials? Does your budget assume that your protection is 100% effective and allocate no spending for incident response resources?
5) Make the business case. Once you calculate costs per incident and get estimates for solutions to fill gaps in what is currently in place, you can put together a simple Investment to Reduce Risk to review with your C-Team or Board to include them in the business decision of how much spending makes sense to reduce risks based on what’s at stake. You can also reference Cybersecurity Safe Harbor legislation to help further justify alignment to one of the recognized cyber frameworks to invoke protection from regulatory fines, legal judgments, and even rejected cyber insurance claims for failure to take “reasonable” cybersecurity precautions.