It is time to start thinking of the upcoming fiscal year. Establishing an IT budget can be a difficult task when you have several competing priorities and needs. Many of these are tangible needs: laptops, tablets, desktops, servers and switches. When prioritizing and justifying these purchases, you can point to average lifespan of the hardware and/or return on investment. But how do you justify or prioritize needs that are less tangible, like cyber security awareness training, network security solutions or additional security staff? In other words… how can you make sure that cyber security is included in your IT budget?
To effectively plan a cyber security budget, you have to have a clear picture of organizational risk. A good place to start is to look at the cyber incidents you have had in the past. By cataloging past incidents, you can extrapolate the amount of reoccurring incidents you might face in the future. An additional benefit is that you can project the costs associated with those potential future incidents in both money and labor. Are there types of incidents that occur on a regular basis? If there are, you can use that information to project the number of cyber incidents you might face in the future and the costs associated with them. While taking historical costs of incidents into account, you may also want to plan for a major cyber incident. One study done by Kaspersky Lab and B2B International suggests the average cost of an incident can be as much as $38,000 (SMBs Lose Around $38,000 in Every Cyber-Attack).
In addition to looking at past incidents, you might also want to perform a more formal risk assessment. SANS has a useful document outlining what is involved in the risk assessment process (An Overview of Threat and Risk Assessment).
When performing the risk assessment, you’ll need to consider new and emerging threats that might affect your organization. Some of the threats that appeared in 2017 are outlined in this article from SC Magazine. You should also think about the future. New threats appear every single day. This article, Top 5 Cybersecurity Concerns for 2018, from CSO, outlines some of the top concerns for 2018.
Once you have identified all the risks facing your organization, you can start prioritizing your cyber security budget. Calculate the total cost of the predicted incidents per year and use that to determine the return on investment (ROI).
ROI = (Total Estimated Cost of Incidents / Cyber-Security Budget) X 100%
The ROI will help you make informed decisions and justify the items you include in your cyber security budget and will also ensure that your organization will get the biggest bang for its buck.
As always, the MOREnet Cyber Security team is here to help! If you have a follow-up question or a suggestion for an upcoming blog topic, please e-mail us at firstname.lastname@example.org.