How to Determine Your Cybersecurity Program Budget

There’s no easy answer to the question “How much should we spend on cybersecurity?”

But, because the Federal Trade Commission (FTC) defines “reasonable” cybersecurity in such a way that you will be compared with other organizations similar to yours, it’s important to spend some time trying to figure this out.

Find Your Industry Average

Obtaining reliable average spending data can be difficult. Average spend by industry is a starting point.

Gartner, the IT research firm, is known for producing good numbers. And by spending some time with Google search you can find other sources.

Here’s some data I recently found over at SANS using the search terms “average cybersecurity budget.” It’s a bit old. And with threats rising at a rapid rate, future increases are sure to be greater than what you see in this table:

Median Budget and Percentage Allocated to Security by Year by Industry


https://www.sans.org/reading-room/whitepapers/analyst/security-spending-trends-36697

You Can Do Better Than Average

A well-run cybersecurity program could produce superior results for less than average. In contrast, a poorly-run cybersecurity program can consume an above average budget and generate relatively little value.

The best programs determine their budgets by establishing good cyber hygiene and then by managing a prioritized list of cyber risks.

Good Cyber Hygiene Is a Moving Target

You could waste money by not keeping up with the latest trends.

For example, it’s not enough these days to protect your endpoints with anti-virus software. You also need to deploy the latest software patches quickly.

That means spending some more money to create and operate a patch management program. You might decide to avoid spending this money.

But, while you will avoid increasing your planned spending, the increase in successful attacks will increase your unplanned spending as you react to all the additional trouble.

You might also end up in a public data breach situation, the average cost of which is $4 million.

First Mover Advantage

Note that your competitors will be considering whether or not to spend money to create their own patch management programs. If they delay and are successfully attacked more often than you, then you gain a competitive advantage.

In the summer of 2017, the NotPetya data wiper spread throughout Eastern Europe. The package delivery company FedEx/TNT was severely impacted and was unable to accept new shipments or even deliver much of what they already accepted on time.

By comparison, their competitor DHL was only slightly affected by NotPetya. They stayed in business and were able to capture a large percentage of the customers who defected from FedEx/TNT.

Better cyber hygiene allowed DHL to win new business!

Cyber Risk Opportunities provides middle market companies with cost-effective Cyber Risk Managed Programs to prioritize and reduce your top cyber risks, including the specific requirements of PCI, HIPAA, SOC2, ISO 27001, DFARS, and more.

Get in touch today to learn more and take advantage of a free 30-minute Q&A session with one of our cyber risk experts. Call 253-332-7867, or email us at info@cyberriskopportunities.com.