According to research commissioned by IBM, the ideal spend on Cyber Security is 9.8 to 13.7% of your I.T. budget.  This percentage is estimated to grow along with the increased integration of security into all facets of I.T. infrastructure.
The Case for Proactive Cyber Security Budgeting
It can be difficult to feel the value of risk mitigation spending.
Insurance, physical security, and other preventative measures are costly and the benefits are often hard to quantify, but company leaders are beginning to grasp the true risk cyber crime poses to all businesses:
- Hackers cost the global economy more than $111 billion annually.
- Attacks on small businesses cost an average of $188,242 per breach.
- 51% of breaches in 2016 were perpetrated by affiliates of organized criminal groups.
- 73% of breaches in 2016 were financially motivated.
- 2,500 cases of ransomware costing victims $24 million in the US alone were reported to the Internet Crime Complaint Center for 2015 (Turkel, 2016)
Companies are reportedly responding in kind, with cyber security spending to exceed $1 trillion from 2017 to 2021. But there is still a sizable gap between the threat level and reality, with a majority of businesses delaying or downright denying the importance of a cyber security budget that exceeds 3% of a company’s capital expenditures. 
Where to Start
For organizations without a cyber security strategy, the first step is to start with a risk assessment performed by a consulting body with experience in your industry. The results of your risk assessment should be formally reported to you using clear data points to help you begin formulating your budget.
A risk assessment executive summary should be your primary aid in determining:
- The size of your attack surface
- Your vulnerabilities, from greatest to least
- Related to the above, the probability and impact of being breached via your various vulnerabilities
- An estimated scope of deploying controls and countermeasures
- A suggested timeline to addressing gaps and a suggested date for reassessment (usually each year)
Your budget should completely cover high probability–high impact scenarios and with room for lower probability–high impact scenarios as well. And of course, your countermeasures should keep low impact scenarios from escalating.
How to Know You’re Budgeting Enough
After your assessment, research, and RFP process, if applicable, you may find that a well-rounded cyber security budget is greater than 13.7% of your I.T. spending. In this case, it’s helpful to remember that budgeting for cyber security is not budgeting for the “what if” but for the “when.”
Speaking at the IBM Security Summit in New York City in 2015, IBM’s chairman, CEO and President Ginni Rometty said, “We believe that data is the phenomenon of our time. It is the world’s new natural resource. It is the new basis of competitive advantage, and it is transforming every profession and industry. If all of this is true – even inevitable – then cyber crime, by definition, is the greatest threat to every profession, every industry, every company in the world.”
Computer security budgeting will require a shift, perhaps a sizable one, in your operations strategy. But a quality solution can lower your likelihood of what is essentially an inevitable, direct attack on the health and profitability of your business.
Email us your questions about developing your cyber security budget for 2018 and an advisor will get back to you within one business day.