How to size your cyber security budget

How to size your cyber security budget
2022-04-21 Paliscope

Do you know exactly what you spend your cyber security budget on today? And do your cyber expenses directly impact your company’s maturity level? If the answer is no, or you just don’t know, you should definitely keep reading.

Since cyber-attacks have become more common in recent years, many CISOs:s need to increase their cyber security budgets. Convincing the Board and Executive Management will be difficult unless you can show how the current budget is spent.

In this article, Paliscope’s CEO Rolf Rosenvinge walks you through the steps on how to size your cyber security budget correctly.

Step 1: Understand what you spend today

The first step to sizing your budget is defining it and analyzing current spending.

“There are two parts of the equation which are both equally important to lay the foundation before you can start sizing your budget. One is knowing what you spend today, and the other is what maturity level your company is currently at,” says Rolf.

There is no point just counting your spending since that doesn’t say much without knowing how your expenses directly impact your company’s maturity level.

“Everyone should know how to define their cyber security budget and how much they spend. It is equally as important, if not more, as knowing what they spend on company cars or office rent. If you don’t know, there is a big risk you will spend your budget on the wrong things,” says Rolf.

So how do you define the budget?

“We look at how the security expenditure is divided between the five functions of the NIST framework, which are: Identify, Protect, Detect, Respond and Recover. This will be the foundation for continued analysis”, says Rolf.

When you have a clear view of your current situation, it’s time for step two – make a plan and size your budget.

Step 2: Set up a target and size your budget

After analyzing spending and maturity level, it’s time for benchmarking.

“Since we have many years of experience working with cybersecurity, it makes it easier for us to compare your organization with your peers. We know roughly what a cyber program usually costs, and with that knowledge, we can estimate what percent of your IT budget should be directed to cyber security”, says Rolf.

Since all companies are different, there is no way of just saying that a certain percentage fits all. It varies depending on how many employees you have, how exposed the company is and which maturity level you need to reach.

As mentioned, when defining your budget, there is a framework that includes five essential functions for your cyber security: Identify, Protect, Detect, Respond and Recover.

However, another way to look at it is to split the budget between people, processes, and technology. The key is to find balance in your budget. Rolf gives an example:

“The most common mistake we see is that companies buy tools, but often they forget to ensure they have enough people with the right competence and capacity to use them. If you buy the technology without having people and process, you will waste your money”, says Rolf.

Unforeseen events

It is also important to devote a part of the budget to unforeseen events. Then, if something unexpected happens, you can start working on a solution directly.

“The only thing we know is that something will happen during the year since the cyber threats always change in character. Therefore our recommendation is to prepare yourself by putting 10% of your budget in an unforeseen bucket”, says Rolf.

When all this is set, it’s time for the most challenging part: Getting the whole company on board with your plan!

Step 3: It’s time to take it to the board meeting.

When you take your cyber security strategy to the Board and Executive Management to ask for a higher budget, you need to be prepared to answer their questions. If you can’t, it will be hard for them to accept an increased budget.

“We often say that what we actually do is help the cyber security people speak the same language as the people in charge of your company’s finances. They don’t know what you do, and they will certainly not just hand out money without knowing exactly where it’s going. They want to look at the numbers all lined up in a nice excel document”, says Rolf.

Work continuously to ensure that the budget size stays correct.

You have defined and sized your budget. It was approved, and you started putting it into action. Then what?

“We recommend measuring your cyber security maturity level once every year to see how well your company is doing according to the NIST framework. If you are not at your planned target state, you probably need to rethink your plan”, says Rolf.

Let’s say you spend 200 million to reach a certain level, but in the end, you are still behind your peers. You should then ask yourself questions like: Do we have too many consultants? Should we have hired instead? Can we start to hire now? and so on…

“The most reasonable thought is always to be open to rethinking, redoing, and calibrating your budget once a year. Your plan is not set in stone and should be able to transform at the same pace as the cyber attackers do”, says Rolf

Get in touch!

Reach out to learn more or discuss how we can help you in your work.