It can be hard for management to see the ROI when they budget for cybersecurity. It's much clearer to see the benefit of investments that have a direct impact on customer purchases, production, or inventory. Investments that focus on reducing costs and risks to the company, like cybersecurity, sometimes require more convincing.
If you're the appointed person negotiating for your cybersecurity budget, you need to properly frame your argument. To do this, you must have the following:
- A quantifiable budget.
- A case for why you need this budget.
In this article, we'll walk you through the steps to achieve both, so you can properly fight for your company's cybersecurity budget.
Quantifying your budget comes down to measuring one concept: risk.
Cybersecurity expert Ilia Kolochenko recommends starting with a comprehensive risk assessment. Measuring your company's risk consists of two components: the probability of an event happening (e.g. a security breach), and the costs associated with that event happening.
Developed by researchers at the University of Maryland, the Gordon-Loeb Model contextualizes risk assessment specifically for cybersecurity. The model takes into account:
- The potential loss from a cybersecurity breach.
- The probability of a breach.
- The way cybersecurity investments reduce this probability.
The Gordon-Loeb Model is straightforward to use, consisting of the following four steps:
- Estimate the value of the information you're trying to protect (e.g. your company's sensitive data).
- Estimate the probability that each information set will be breached. Assign each information set a vulnerability score, based on its probability of being attacked.
- Prioritize the information sets by developing a grid, ranging from low value/low vulnerability to high value/high vulnerability. For each box inside the grid, calculate the potential loss by multiplying the information's value by its probability of a breach.
- With a completed grid laying out the potential loss values for each information set, you can identify which ones are most crucial to spend your money on.
From here, you can build your budget from the ground up. In a perfect world, you'd have sufficient budget to protect all of your company's information sets equally, but in reality, it's likely you'll have to pick and choose between them. Using this system as a guide, you can logically select the information sets to protect in the immediate term. If you have a ballpark estimate on the budget you'll need to work within, you can distribute the budget across your most valued (or most at-risk) information sets.
The Gordon-Loeb Model has found that cybersecurity budgets shouldn't exceed 37% of total expected losses. This is because the security offered by a cybersecurity budget yields diminishing returns with increased spending.
Now that you've identified your ideal cybersecurity budget, you're left with the difficult task: convincing your company's decision-makers to approve it. Depending on the size of your company, you may be speaking directly with the business owner (a more likely scenario for SMBs), or a leadership board at a large corporation.
No matter how many decision-makers you must appeal to, your approach comes down to one key practice, which Security Channel Technical Lead Valory Batchellor of IBM calls speaking their language. This is where the Gordon-Loeb Model you used earlier helps tremendously. By assigning a value to the key factors associated with your budget (risk, costs, and benefits), you can help decision-makers see the importance (and validity) of your requested budget.
The basic rule to security investing is that the benefit should just outweigh the costs. Efficiency is everything. If a $5 million cybersecurity budget is expected to save the company $6.0 million, why would leaders approve a $5.1 million budget that accomplishes the same thing?
Tools like the Gordon-Loeb Model put this rule into action, by showing the most efficient way to cover risk. Approaching leaders from this angle can help them see — in calculated dollars — the benefits of each aspect of your cybersecurity budget. When you clearly show how your requested budget aims to cover your most valuable and vulnerable information sets, you can increase your chances of approval.
Last year, Yahoo announced that a data breach had compromised up to 500 million accounts — the damage later jumped to 1 billion accounts. While these cyberattacks brought major financial losses, they also dealt a significant blow to the company's reputation. Yahoo's unfortunate situation highlights an important and less-tangible risk of cybersecurity breaches.
Apart from the costs to update security and equipment after a cyberattack, your company's reputation is also at risk. Reputation is difficult to measure in concrete numbers, but that makes it no less important. Losing the trust, loyalty, appreciation, or admiration of consumers can sink a company quickly.
Other consequences of a cybersecurity breach can include the following:
● Loss of potential business dealings: Following Yahoo's major security breaches, Verizon reconsidered the business deal the two companies had previously arranged. While they ultimately agreed to follow through on the deal, Yahoo saw months of hard work and negotiations suddenly teetering on the edge. A cyberattack doesn't just impact your company in the moment, but may also have far-reaching implications for the future.
● Exposure of trade secrets: Companies rely on trade secrets and internal know-how to maintain their competitive advantages. Security breaches can lay this information out in the open for anyone (including your competitors) to see. Aside from the task of recovering your own data, your company may end up requiring extensive pivoting in business strategy, in a new landscape where your trade secrets are no longer secrets.
● Litigation: The loss or exposure of customer information can be a fast reputation killer, and one that can come with a hefty price tag. Yahoo and Target both faced class-action lawsuits after security breaches compromised customer data. Whether your company goes to trial or settles outside of court, you could be on the hook for massive costs (Target paid $10 million).
While the direct, financial costs of a potential breach will be the quickest way to get the attention of management, it's crucial to also give them a rundown of all ways in which a breach can damage the company. Positioning your cybersecurity budget in this context can help decision-makers understand the real-world implications of breaches, apart from the obvious dollar sign.
You can never guarantee the calculated cost of a potential breach, no matter how precise your estimate. In just one year, from 2015 to 2016, the average cost of a cybersecurity breach jumped from $3.8 million to $4.0 million.
The costs associated with cybersecurity breaches are only expected to rise. It's important to emphasize this point when speaking with your decision-makers. If your budget isn't approved this year, you'll only need to request more in the future, when your risk equation inevitably rises due to increased costs.
Designing and implementing a security system before a breach is much more cost-effective than patching a system post-breach. We've already covered the many consequences resulting from a data breach. Proactive planning can remove liability and reputation damage from the equation. Having a cybersecurity system in place can be a strong asset for large companies considering sales and mergers.
Budgets are carefully built to show the most efficient use of funds. Remember, high cybersecurity budgets don't necessarily correlate to improved security — it's all in how the money is used. By showing your decision-makers the thought and purpose behind the budget your team has calculated, you can increase their confidence in you and their comfort that the money is being used as efficiently as possible.