Organizations aren’t spending enough on cybersecurity. As we explained in our previous post, many business leaders have misconceptions about the risks to their organizations and the level of security needed to protect against the latest attacks. They may view security as a “nice to have,” whereas new technologies such as AI are seen as strategic investments that will drive the business forward.
However, many small to midsize enterprises (SMEs) aren’t spending enough to provide basic protection, much less to defend against advanced threats. In addition to putting the business at risk, inadequate security spending makes it difficult to comply with increasingly stringent regulations and meet the requirements of cyber insurance providers.
How much an organization should spend depends on a number of factors, including the size of the business, the industry and the degree to which operations depend on technology. As a rule of thumb, organizations in highly regulated industries and those that can’t afford downtime should spend the most.
Defining the Budget Baseline
However, there are some guidelines to help organizations determine their cybersecurity budgets. It starts with a review of the existing IT environment to determine what security controls are already in place and identify any gaps and vulnerabilities. A third-party assessment performed by a qualified managed security services provider (MSSP) can provide an objective baseline.
The first line item in the budget should cover existing security controls. This would include such expenses as maintenance agreements, software licenses and subscriptions for cloud-based tools. It would also include any third-party services, such as monitoring, backups, support and training programs.
Next, the budget should include any upgrades, enhancements or additional tools needed to close the identified security gaps. Organizations in regulated industries should also ensure that they have all the controls in place to meet compliance requirements. An MSSP can provide helpful guidance and recommend tools that are budget-friendly and compatible with the organization’s existing IT infrastructure.
Planning for Budget Growth
The cybersecurity landscape is constantly changing, and organizations should not expect what they did last year to suffice in the coming year. They will need to make additional investments to fully protect their systems. Some experts recommend budget growth of 8 percent to 12 percent.
Organizations can maximize the ROI of their security investments by focusing on areas that deliver the greatest value. For example, microsegmentation can be implemented in just weeks and can reduce total cost of ownership by as much as 76 percent compared to firewall-based solutions. Extended detection and response (XDR) platforms consolidate security tools to lower the cost of licenses while enabling up to 60 percent faster threat detection.
Of course, organizations should invest in people as well as technology. Given the persistent security skills gap, organizations should look to an MSSP to provide needed expertise. A qualified MSSP such as Verteks also provides ongoing services such as monitoring, patching and incident response.
Why the Budget Exercise Is Important
No matter what the bottom line number turns out to be, organizations that complete this exercise have made significant progress: They have committed to a recurring line item in their overall budgets to address and plan for security threats. They have begun to make the transition from reactive security to a more proactive, risk-based approach.
The next step is to commit to reviewing the security budget throughout the year to ensure that it remains adequate in light of business growth or changes to the IT environment. Organizations should also conduct regular assessments to identify new vulnerabilities, address emerging threats and keep pace with changing regulatory requirements.
SME leaders should assume that their organization is being targeted and that a cyberattack is imminent. They should recognize the high cost of downtime, disruption, and legal and reputational consequences of a cyberattack. Contact Verteks for help developing a cybersecurity budget and strategy that reduces business risk.
