Close this search box.

How Much Should I Spend on Cyber Security?

Computer code in different colors.

How Much Should I Spend On Cyber Security?

According to research commissioned by IBM, the ideal spend on Cyber Security is 9.8 to 13.7% of your I.T. budget. This percentage is estimated to grow along with the increased integration of security into all facets of I.T. infrastructure. A healthy cybersecurity budget of 10% of IT Budget vs. Average cost per breach $200,0000 to 1.3 million. You’ll want to consider this when calculating cybersecurity ROI.

The Case for Proactive Cyber Security Budgeting

It can be difficult to feel the value of risk mitigation spending.

Insurance, physical security, and other preventative measures are costly and the benefits are often hard to quantify, but company leaders are beginning to grasp the true risk cyber crime poses to all  businesses:

  • Hackers cost the global economy more than $111 billion annually.
  • Attacks on small businesses cost an average of $188,242 per breach.
  • 51% of breaches in 2016 were perpetrated by affiliates of organized criminal groups.
  • 73% of breaches in 2016 were financially motivated.
  • 2,500 cases of ransomware costing victims $24 million in the US alone were reported to the Internet Crime Complaint Center for 2015 (Turkel, 2016)

Companies are reportedly responding in kind, with cyber security spending to exceed $1 trillion from 2017 to 2021. But there is still a sizable gap between the threat level and reality, with a majority of businesses delaying or downright denying the importance of a cyber security budget that exceeds 3% of a company’s capital expenditures.

Where Should I Start?  Is a Cyber Risk Assessment Necessary?

For organizations without a cyber security strategy, the first step is to start with a cybersecurity risk assessment performed by a consulting body with experience in your industry. The results of your risk assessment should be formally reported to you using clear data points to help you begin formulating your budget.

A risk assessment executive summary should be your primary aid in determining:

  • The size of your attack surface
  • Your vulnerabilities, from greatest to least
  • Related to the above, the probability and impact of being breached via your various vulnerabilities
  • An estimated scope of deploying controls and countermeasures
  • A suggested timeline to addressing gaps and a suggested date for reassessment (usually each year)

Your budget should completely cover high probability–high impact scenarios and with room for lower probability–high impact scenarios as well. And of course, your countermeasures should  keep low impact scenarios from escalating.

How to Know You’re Budgeting Enough

After your assessment, research, and  RFP process, if applicable, you may find that a well-rounded cyber security budget is greater than 13.7% of your I.T. spending. In this case, it’s helpful to remember that budgeting for cyber security is not budgeting for the “what if” but for the “when.”

“Cyber Crime is the greatest threat to every profession, every industry, every company in the world” – Ginni Rometty; Shark in the Deep

Speaking at the IBM Security Summit in New York City in 2015, IBM’s chairman, CEO and President Ginni Rometty said, “We believe that data is the phenomenon of our time. It is the world’s new natural resource. It is the new basis of competitive advantage, and it is transforming every profession and industry. If all of this is true – even inevitable – then cyber crime, by definition, is the greatest threat to every profession, every industry, every company in the world.”

Computer security budgeting will require a shift, perhaps a sizable one, in your operations strategy. But a quality solution can lower your likelihood of what is essentially an inevitable, direct attack on the health and profitability of your business.

Email us your questions about developing your cyber security budget for 2018 and an advisor will get back to you within one business day. 

Corsica Technologies
Corsica provides personalized service and a virtual CIO (vCIO) who serves as a strategic advisor. When it comes to the complex integration of solutions for IT and cybersecurity, the whole is greater than the sum of its parts. We offer cybersecurity solutions, managed services, digital transformation, resale services, and one-off technology projects. Corsica unifies any combination of these services into a complete, seamless solution.

Related Reads

Sign Up For Our Newsletter

Stay up-to-date on the Managed Services and Cybersecurity landscape, and be the first to find out about events and special offers.