In yesterday’s blog, I wrote about some of the top conversations that you, the IT Security Manager (or for that matter, any other member from your team) that you need to have with your CIO and/or CISO. I was actually going to write an extension on this blog in a few weeks, and instead write something more Cyberthreat related.
But quite surprisingly enough, I came across yet another article which had me thinking most of this morning . . . this is yet another very important topic you need to talk to the C-Suite about as well.
And just what exactly may that be? Well, it is about the specific funding that you will need for your Cybersecurity initiatives not only for 2020, but probably even going into even next year as well, for 2021. Planning for this can be very tricky, given just how dynamic the Cyberthreat Landscape.
For instance, you may think that you have enough in your budget, but then bam, you may be impacted by a security breach, and you will probably need more $$$ than you have ever planned for.
Also, newer technologies are emerging (such as that of Artificial Intelligence and Machine Learning), which will soon be almost essential to have in your security arsenal.
Another area for concern in the Cybersecurity budgeting process is not only in trying to hire new talent, but also in keeping your existing employees, which takes financial resources as well.
In a recent market research conducted by Garner, Cybersecurity budgets have increased from $114 billion in 2018 to more than $124 billion in 2019. 72% of the respondents that participated in this survey know that their budget requests are going to only increase greatly in 2020.
But before you can submit your budget requests to your CIO and/or CISO, or even have a conversation about it with them, you need to come with how much money you think that you will need in the first place.
If you have an MBA, or even taken a graduate level course in finance, there are numerous in which you can mathematically model all of this. But for the sake of simplicity (and for being in the real word as well), there are two general approaches you can take to come up with the numbers. Here they are:
*Look what has happened in the past, and use the same for the future:
In this kind of approach, the title above says it all. In other words, whatever budget you had planned in 2019 will still remain more or less the same for 2020, with any unused budget being rolled over. Taking this methodology is also known as “taking the path of least resistance”.
For example, you just assume that everything will remain the same in 2020 as it did for 2019 and are keeping your fingers crossed. Although this may be the safest route to take with the higher ups, the main downside to this is that it does not consider any sort of contingencies or emergencies that may happen. This is especially true if you become a victim of a Cyberattack.
You may not have been one in 2019, so you think you will not be one either in 2020. But what if it does actually happen? How are you going to round up the money to recover from it, and restore mission critical operations and processes ASAP?
Your CFO and financial department will be scrambling around to get this money, and because of this, you may even experience prolonged periods of downtime. This kind of budgeting is also technically known as the “Principle of Inheritance”.
*The Risk Management Approach:
This is one of the biggest buzzwords in Cybersecurity today, along with the other pieces of techno jargon that are being bandied about it today. But what exactly is it? There are many ways to look at it, depending upon who you speak to. But in general, this is the approach where you look at all of your IT Assets, both digital and physical based, and categorize by them in terms of the level of risk that they pose to your company.
This is based upon a classification scheme or hierarchy, that either you have come up with, or you are using one of the preestablished ones that you download from the Internet. The theory here is that those IT Assets with the greatest risk will be allocated the greatest amount of funding, and so forth in a decremental fashion until you hit those with the least amount of risk. And of course, these will receive the least amount of funding.
One of the advantages of this budgetary planning approach is that at least you are making a reasonable attempt to predict what the future holds and are making resource allocation decisions that way. But, suppose what if IT Asset “A” (which is deemed to be at a great risk in the event of a Cyberattack and has received the most amount of the bucket funding) is never hit, and instead IT Asset “Z” (which is deemed to be at a least minimal risk in the event of a Cyberattack and has received almost no level of bucket funding) is impacted, how will you move the money around quickly?
This is almost the same as using the last methodology where you have not planned for any kind of contingency. In other words, even when using a risk-based approach to calculate your Cybersecurity budget, anything can still change.
But at least with this approach, you have at least a theoretical idea as to where the levels of Cyber Risk lie in your business, which is a key metric that your CIO and/or CISO will always ask about, because they are being constantly grilled on this by the Board of Directors.
My Thoughts On This
As mentioned earlier, there are other methodologies out there that you can use to help compute your Cybersecurity budget. But the ones described here are the most commonly used ones. They both have their fair sets of advantages and disadvantages, just like anything else in life.
Thus, probably even a better approach to take is to take the hybrid one, in which you combine both of these methodologies. So, for example, you can still use your Cybersecurity budget in 2019 as the baseline, and from there, then make projections as to where that funding can be spread around based upon the levels of risk you that you have calculated.
But yet once again, you still never know what can happen. Therefore, it is always best to get the best Cybersecurity Insurance Policy that you can help you protect against the unknown. Remember, it should be a part of your overall Security Policy that your organization will always, on a regular basis, look at and critically examine the levels of risk that each of your IT Assets possess.
In fact, many insurance carriers are now making this even mandatory, before they will even award you with a policy. Even if your carrier does not require it upfront, you will have much better chances of a getting a complete payout on your premium if you make use of an appropriate risk management policy.
Remember, in order to keep this process more manageable, you should first start looking at those benchmarks and risk categories that are most relevant to your industry. Also, it might even just be best to hire a Cybersecurity Consultant that has a deep level expertise in risk calculation to help you figure all of this out. Will this be an expensive proposition? Yes, it could very well be, but it will pay its dividends back to you handsomely in the long term.
Finally, more details about the market research study conducted by Kaspersky can be seen here at the link below: