Our Views:
Cyber Security Budgeting
Budgeting for cybersecurity is challenging partly because increasing and improving your cybersecurity posture is a continuous process rather than a finite task or one-off purchase. There are various ways to tackle cyber budgeting, including setting a percentage of overall IT spend, benchmarking, and taking a risk-based approach.
Some reports indicate that many international businesses set aside about ten per cent of the total IT budget on cybersecurity. This is an interesting ballpark figure, but a percentage does nothing to guarantee that critical cyber risks can be addressed or managed within risk tolerance. Some businesses may achieve acceptable cyber risk management for less than ten per cent of the IT spend. In contrast, others may have a large and high-risk environment requiring significantly more spending on security.
Therefore, more mature organisations may start budgeting by putting aside percentages and using a risk-first approach. This involves assessing your current risk levels and determining what is needed to address these. When evaluating cyber risks and determining budget allocation, the main points for consideration tend to fall into People, Processes and Technology categories. However, in each of these areas, some unique environmental issues will challenge the cybersecurity budgeting process through 2022 and 2023.
People
Technology is only as good as the people configuring, driving, monitoring and using it. Therefore, investing in skilled IT resources that know how to mitigate and respond to threats should not be overlooked. In the following year, the impact of rising inflation combined with scarce cybersecurity resources may contribute to a need for increased spending to secure talented professionals.
Additionally, the human factor plays a crucial role in most cyberattacks, and this trend is not showing any indication of changing this year; therefore, considering investing in comprehensive training and awareness for all technology users within a business makes sense over the coming months.
Process
Procedures for basic cyber hygiene such as solid backup creation, device hardening, incident response and crisis management must be implemented, documented, understood, and tested for effective protection. Creating, maintaining and testing these processes that secure your assets requires budget consideration.
Changing regulatory requirements also drive the need for a budget in this area. For example, strengthened privacy legislation has led to a need for documented procedures to ensure compliance with Privacy Act obligations, such as mandatory notification. The grace period for this change is over, and all businesses must invest in appropriate processes to address this. In addition, companies that operate internationally may have further compliance measures to implement, including data classification and data lifecycle management.
Ensuring cyber governance procedures are in place also requires funding for establishment and maintenance. Governance procedures include risk assessment processes that help evaluate what kind of attack your business is likely to suffer and what impact this may have on your high-value assets, ultimately helping you to invest in the right areas.
Technology
There is an overwhelming plethora of technology solutions and tools available for purchase in the cybersecurity market. This means there are excellent options for protecting and monitoring your environment, but it also opens up the opportunity for overspending in this space. Understanding which tools will address your critical risks and budgeting for those, rather than relying on vendor sales pitches, is key to maintaining the right level of spending in this area.
The changing threat landscape in 2022 and 2023 should also be reviewed when considering technology investment. Vulnerabilities from increased cloud adoption, increased number of endpoints and more external exposure may require focus. Increasingly businesses will need to put significantly higher levels of effort into managing the cyberhealth of external parties.
The geopolitical environment, notably the war between Russia and Ukraine, has already altered the cyber threat landscape globally this year. Moreover, it will likely continue influencing threat levels for specific industries and subsequent cybersecurity budgeting. Securing industrial environments may also need to be prioritised due to increased convergence between corporate IT systems and operation control systems.
While not neatly fitting into the above categories, changes to the costs of your cyber insurance policy may also need to be factored in over the next year.
Finally, don’t forget to expect the unexpected and allow for additional spending, over and above your current budget, particularly if you suffer a cyber incident.
This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.
Incident Response Solutions 