Where to Start
Unfortunately, there’s no “easy button” to know exactly how much you should spend on security. Every organization is unique, and the amount you should spend depends on your specific IT risk profile. Gauging your risk requires a full audit of your infrastructure and data. Until you know what important data you’re storing, where it lives, and what the impact of losing or leaking that data would be, you won’t know the costs associated with dealing with a security incident. Knowing those costs will help you identify a reasonable amount to spend to prevent them. Don’t forget the “availability” of your data is important too. You need to protect against downtime just as much as loss of data.
You should also pay attention to any regulations your business has to meet. If your organization operates in the healthcare space, you need to remain HIPAA compliant. If you take credit cards, you must adhere to PCI requirements. These regulations have very specific fines and penalties. Those specific fees can help guide you to the ultimate cost of a breach.
That said, the easiest way to see if you’re in the right ballpark is to benchmark against similar businesses. Various analyst firms regularly survey businesses to ask what percentage of IT budget they spend on security. The answers vary widely, but one 2019 Deloitte survey shows anywhere between 6% and 14 of IT budgets, for an average of 10%. Weigh your security budget allocation against these numbers, but know that where you sit within those ranges depends on the degree to which your business relies on its IT infrastructure, and the volume of sensitive data you house. If you run a more legacy-type business with less IT resources, you’re probably fine in the lower range, whereas a more modern, IT-forward company with critical intellectual property, financial and customer information probably belongs higher in that range.
Ponemon’s annual Cost of a Data Breach Report actually breaks down the cost of a data breach by region, company vertical, and type of attack every year. In fact, one of the most interesting stats from the report is its “average cost of a breach per customer record” ($150 per compromised record in 2020). No matter how big or small your organization is, this data gives you a convenient way to estimate the average cost of a breach based on the number of customer records you could lose. You should never spend more on security than the maximum cost of a breach multiplied by its percentage of likelihood.
The Impact of COVID-19
As the effects of the global pandemic continue to play out across the world, the accelerated shift to remote work has been and will continue to be a major consideration for CISOs. It will take some time to fully understand how COVID-19 will impact security priorities and spending, but two things will likely prove true regardless.
First, security spend per employee will likely rise. In its IT Key Metrics Data 2019 report, Gartner reported the average security spend per employee during 2018 was $1,178, which represented a significant 67% rise compared to 2012. The report doesn’t specify the cause of this spike, but it’s likely related to the growth of remote work during that period. In your office, you can consolidate many defenses into one network perimeter—the gateway to office network. You don’t have to spend as much on individual defenses when you have shared perimeter security. However, remote workforces mean each employee needs their own discrete protections, which could explain some of the increased spend. COVID-19 forced a worldwide, overnight move to remote work, which could slightly increase security spending per employee moving forward.
Second—and hopefully this will be better news—COVID-19 will mostly cause organizations to rebalance existing budgets. While security budgets may increase due to remote employees, you have the option of funding some of that growth by simply reallocating security spending strategically. Your office perimeter, cloud, and remote users all need security controls, but what you spend most on should depend on where your most important data is, and how many assets you have in each place. If you have more employees working from home, and more services in the cloud, perhaps you balance your existing budget to prioritize that, and vice versa. In the end though, the pandemic will certainly either focus or increase most organizations’ budgets around endpoint and user-based defenses.
Evolving Threats Can be Your Guide
You should always pay attention to the current threat landscape and adjust your security spending and priorities accordingly. When ransomware was first exploding back in 2016, you should’ve been concentrating your budget on security controls related to backup and disaster recovery or advanced malware detection to catch evasive ransomware. Throughout 2019 and 2020, spear phishing and credential theft have run rampant, proving out the mantra that, “hackers don’t break in, they log in.” This year you may focus your spend on protecting users’ digital identity with solutions like advanced MFA (especially when everyone is working from home). Regardless of what the latest attack trends might be, always maintain a pulse on the evolving threat landscape, as changes in how hackers operate may affect how much you need to budget, and how you spend it.
Putting it All Together
The most important aspect of any successful security planning and budgeting cycle is to begin with quantifiable risk measurements and impact assessments. Identify any and all regulations your business must adhere to, as well as the associated penalties for incidents and compliance lapses. Conduct a formal risk audit to inventory your sensitive data, and measure the financial impact of any temporary or permanent losses. Reference security budgeting benchmarks for your industry vertical, employee count, and average data breach costs.
If you do that work, you should settle on a decent budget for your organization. However, don’t forget to leave room for your growth and digital transformation. While security may not feel like a business enabler, preventing incidents is a modern business imperative. That said, if you implement security poorly, it can become an impediment to business too. Consider building some extra cushion into your security budget to ensure you can implement sophisticated solutions that can simplify security, reduce friction and even help facilitate your digital transformation.