US Cybersecurity budget proposal stands at $10.9B (FY2023), while cybercriminals made $6 trillion in 2021
One can decipher the importance of cybersecurity and at the same notice the bridge between spending and losing in that stat. A quantum future is already in the making, and tech giants are already in the race. One research estimate put quantum computers to be a million times faster than classical computers. Such great computing power can reform the way we see and interact with technology. To be a part of such an experience, one needs to rethink cybersecurity, novel threats, and challenges posed in the ever-increasing digital space.
Every enterprise, irrespective of its size and nature, allocates a certain chunk of its IT budget toward cybersecurity. These figures roughly land anywhere between 2% to 10.7% or just around 0.2% to 0.9% of their revenue. This roughly equals the (proposed) US Cybersecurity budget – around 0.45% of their GDP. In a space where black hats (criminal hackers) are intimidating even the top tech giants, one has to reassess their Cybersecurity budget, and simultaneously look after cybersecurity budget optimization to achieve the best price to performance ratio.
Does your Cybersecurity budget address these key areas?
A cybersecurity budget breakdown should be able to define a company’s viewpoint and direction in adopting cybersecurity practices. Our experts at Sectrio curated the four areas, where you should exclusively focus upon:
1. Reactive vs Proactive
The first and the most vital step in cybersecurity is being proactive, and not reactive. By the time a security breach is discovered and acted upon, the enterprise might end up losing credibility, business, and reputation. Many enterprises only work on implementing preventive measures and miss upon securing critical data and infrastructure. A proactive approach includes building cybersecurity from a hacker’s point of view and trying to penetrate the systems. An enterprise can hire blue/red hat experts to carry out penetration exercises and ramp up its cybersecurity.
2. Leveraging SOAR technologies
SOAR (Security Orchestration, Automation, and Response) technologies may not be coming at takeaway prices, but surely their ROI can justify their costs. The in-house cybersecurity team is often overwhelmed by the quantum of alerts thrown up by security systems. Collecting, assessing, and identifying false positives is a herculean task for the security team. Where speed and efficiency are vital, these challenges can be daunting. This is where SOAR technologies help in building automated responses to low-level threats. This leaves the cybersecurity teams more time to work on tasks that require human intervention and deeper analysis.
3. Protection of infrastructure & data
In a digital space, data is the key to success. Protecting every bit of that data is vital to an enterprise’s success. The following should be a part of every company’s annual cybersecurity budget breakdown:
- Detection tools, micro-segmentation, and encryption technologies
- Network monitoring solutions – Intrusion prevention systems, intrusion detection systems, web scanners, and packet sniffers
- Secure Email gateways to counter phishing and social engineering attacks
- Access and authentication technologies
- Robust data protection plan – Data sharing, tracking, portability, and breach notification
- Regular data backup and replication – This protects against data loss during ransomware attacks
4. Improving cybersecurity culture
Cybersecurity is not only the cybersecurity team’s job but everyone’s. Awareness programs, skill development, basic identification and reporting, and security awareness training should be a part of the cybersecurity budget of any enterprise. This prevents a considerable number of phishing cyber-attacks.
What is Cybersecurity budget optimization?
Everything needs to be optimized. Your phone battery, your hard disk memory, your grocery budget, and even the nation’s budget. Similarly, even a company requires a thorough cybersecurity budget optimization to make the best use of the resources available. It is of utmost significance that a company knows where it is overspending, underspending, and where it needs to be spent optimum. This helps in minimizing costs escalating due to unnecessary or otherwise unimportant factors and spending more on areas that require time and value.
Maybe you are overspending here!
Our experts have decoded the four areas of overspending from a company’s typical cybersecurity budget breakdown. Make sure you address the following four areas to curb your overspending:
1. Handling Technology bloat
In a company driven by technology, it is apparent that applications bloat over time. While few of them might be important, many of them can be simply pulled out of the regular workflow. Doing so will reduce time and money. Companies should deploy Technology Rationalization periodically to assess and eliminate tools and applications deemed unnecessary.
2. Legacy Systems
Running processes on legacy systems is one area many enterprises are stuck with. While the individual costs don’t pop up in the annual balance sheets, these costs compound with time and become start bruising before one realizes it. It is best advised to move to modern IT infrastructure that gives better cybersecurity support.
3. Protecting all data equally
Data type and nature vary greatly. While personal identification details, credit card numbers, and phone numbers can be very sensitive, policy documents and other in-house documents hardly have value. Depending on the type and nature of the data, protection tools must be deployed. This helps in bringing down the costs by a large margin with time.
4. Traditional Preventive Tools
Hackers find novel ways to leverage the latest technology and tools to intrude into a system. Deploying heavy traditional tools may not be the right way to go ahead in the future. A thorough risk assessment can help in identifying the high likelihood of the type of risks and deploy cloud-based solutions accordingly.
How to optimize your Cybersecurity budget?
Spending more does not mean more protection. Only when you spend wisely, your protection improves. It is vital to know where to focus and how to prioritize spending across various aspects.
1. Technology that serves your purpose need not be the best
More often than not, most hackers try to gain access to your enterprise’s network for financial gain. Though some ill-motivated competitors can hire a hacker to steal your business secrets, it is quite rare. While it sounds exciting to deploy cutting-edge military-grade level cybersecurity, it is often not put to its best use. Most companies don’t require a high-end cybersecurity solution. Instead, they can consult a cybersecurity firm, to discuss their needs and their requirements. The cybersecurity firm can then suggest them a dependable solution that works for both parties.
2. Heeding your CISO suggestions
Your Chief Information Security Officer is the key when it comes to cybersecurity budget optimization. Assuming that your CISO is capable of establishing a strong cybersecurity program, it will be important to heed your CISO. If it is difficult to hire a full-time CISO, many firms offer virtual CISO services.
3. Separate sensitive and regular data
If you are looking to trim down costs without compromising the security and privacy of your users and business, it is time to separate sensitive and regular data. This can reduce your cybersecurity costs at all levels, and can help you spend more in other areas.
4. Understanding threat and business landscape
Following regular business stories and information about incidents, breaches, and other cybersecurity-related events can help understand the threat landscape and ecosystem. This becomes key in listing out the requirements when it comes to engaging cybersecurity services for the company. Parallelly, understanding the business landscape helps in drafting a cybersecurity budget, without shooting in the foot.
5. Learning ‘How To Use’ before purchasing a tool
Before purchasing a cybersecurity tool, your cybersecurity team should be completely aware of its functionality and operation. If your CISO feels that the functionalities are overlapping, or your team feels the tools don’t exactly serve the purpose as marketed, you should step out. To extract the maximum functionality, your team should understand the tool in and out before it is deployed to protect your network.
6. Reduce attack surface
While BYOD (Bring-your-own-Device) might seem exciting for many startups, it also paves way for a larger attack surface. It is practically difficult to put a cybersecurity strategy around the BYOD ecosystem. By limiting access to critical data and implementing PMA (Privileged Management Access), the attack surface can be reduced.
7. Periodic regular risk assessment
By deploying tools like Intrusion Detection Systems and Intrusion Prevention Systems, enterprises can understand what kind of threats they are exposed, to and take stronger measures. From a cybersecurity point of view, there is no one-stop solution for all needs, and one has to keep marching ahead by comprehending their needs.
Threat Assessment: Reach out to Sectrio’s cybersecurity experts for a comprehensive threat assessment
8. Managed Detection and Response
For a few enterprises, running a full-time Security Operational Center may not be a feasible option. For such enterprises, outsourcing cybersecurity services can be the optimum choice.
It is relatively easy to engage an MDR (Managed Detection and Response) partner to look after your cybersecurity needs. This eliminates the need to hire and sustain highly skilled personnel to look after your cybersecurity needs. This will be a great step in your way towards cybersecurity budget optimization.
9. Deploy cloud cybersecurity strategies
Advanced and sophisticated hacking tools are readily available. Hackers are using Artificial Intelligence and social engineering techniques as a part of their attacks. This leaves traditional prevention systems behind the time. Instead of heavy spending on such systems, it is better advised to shift to cloud-based cybersecurity solutions providers like Sectrio. With round-the-clock monitoring and access to advanced analytics, you can secure your cyberspace without denting your cybersecurity budget.
10. Inculcating Cybersecurity culture across teams
This is by far the most ignored, yet effective way to optimize your cybersecurity budget. While the cost of Cybersecurity Awareness Programs can seem high, the benefits they bring are enormous in the long run. Conducting regular and periodic awareness programs can eliminate the threat of regular phishing attacks and improve employees’ loyalty to the organization with time.
Dear CEO, can your CISO report the ROI on the cybersecurity investment?
It might seem weird talking about the ROI of a cybersecurity project. Few see cybersecurity as a sunk cost. Others see it as insurance. Neither of them is true. Investment in cybersecurity is the foundation of running your business. It would be wise to measure the benefits cybersecurity offers than merely trying to measure the value of your investment. Rather than from a technical point of view, one requires a holistic approach to understanding this aspect – ROI on cybersecurity projects.
If a hacker manages to enter into the system despite all the multi-layered cybersecurity solutions in place, many points towards the CISO. We believe, one should re-think their budget allocations, and practices put in place to avoid cyber threats. It’s not surprising to know, that over 60 percent of small companies in the US shut down within 6 months after being hacked. While it is prudent that cybersecurity is of utmost importance, we need to navigate a path to show the ROI on it. It is strongly recommended that a CISO and CFO share great communication in creating a secure cyber environment.
Showing the ROI on Cybersecurity Project
In a successfully cyber-attack, a company usually loses on two fronts:
This can be due to a ransomware attack or a hacker who exfiltrated confidential and sensitive data, demanding a certain sum of money. In select cases, companies have even lost some money from their accounts. This effect is seen usually on the company’s balance sheets.
This is more dangerous from the company’s point of view. The non-monetary effects can be long-lasting and cascading. A few of the non-monetary effects of a cyber-attack are as follows:
- Loss of Intellectual Property, Business Secrets, and Strategies
- Loss of reputation
- System downtime
- Loss of corporate clients and customers
- Depreciation in brand value
- Fall in share price (for publicly listed companies)
- Regulatory fines
CASE PHI – A case study to understand losses from a cyberattack
In our case study, let us take an example of a cyberattack in which the personal health information (Data type: PHI) of 50,000 consumers is compromised. Assuming this is the first breach in the organization, with no fraud and no class action lawsuit, we arrive at the following imaginary data:
|Type of data exposed||PHI|
|Is the data stored in a centralized system?||YES|
|Is this the organization’s first breach?||YES|
|Is fraud expected?||NO|
|Is a class action lawsuit expected?||NO|
|Any data breach coverage?||NO|
Following are the estimated costs with the above variables taken into consideration (in the US):
|Customer Notification / Crisis Management||$290,250|
|Regulatory Fines & Penalties||$2,032,000|
|Class Action Lawsuit||$0|
While this is just a one-off example case assuming a basic breach, the expenses are well over $2.5M. Surely, the cost of deploying cybersecurity services is going to be only a fraction of it on annual basis.
Factors on which ROI on Cybersecurity depends:
1. Net Value at risk
The total value of resources and other assets (data and infrastructure) that can be affected by a cyber-attack.
2. SLE – Single Loss Expectancy: Amount
Loss incurred due to a single cyber-attack. The loss can be in terms of money lost and other associated direct and indirect costs. To further calculate ROI, let us take the example of CASE PHI for our reference. This stands out to be approximately $2.5M
3. ARO – Annual Rate Occurrence
This talks about the probability of a company getting hit by cyber-attacks annually. This number can vary between a mere 1 to even 100. It largely depends on the type and scale of the business. Going along with CASE PHI, let us assume this number to be 1.
4. ALE – Annual Loss Expectancy
The ALE is the product of the SLE and ARO. This helps us calculate the annual loss (expected) because of cyber-attacks.
ALE = SLE * ARO
From considering the CASE PHI, ALE is calculated to be around $2.5M
5. Downtime caused by implementing
This aspect usually compounds a huge factor when compounded. A quick pull from recent stats shows that on average employees have lost about 23 days due to a ransomware attack. Imagining the company with CASE PHI has 100 employees, this totals to a loss of 2300 days or 18400 work hours (8hours/day). Even at a pay of $35.5/hour, the company loses $653,200 annually.
6. Mitigation Risk
Mitigation risk is the ability to reduce the seriousness of an event, here cyber-attack in our case. The most conservative value of MR (Mitigation Risk) is around 85%, while most cybersecurity solutions are expected to have an MR of 95% and more.
In CASE PHI, further adding the downtime costs, the overall losses accumulate to the tune of well over $3.15M. This is excluding the loss of reputation, brand value, intellectual property, and other key corporate data.
Calculating Classical ROI
In general, ROI can be calculated using the below formula:
ROI % = (Gain from the investment – Cost of investment / Cost of Investment) * 100
Calculating ROSI (Return on Security Investment)
For calculating ROSI, let us churn the following numbers of a company:
- SLE = $35,000
- ARO = 12
- ALE = SLE * ARO = $35,000 * 12 = $420,000
- Mitigation Ratio (MR) = 85%
ROSI = (ALE * MR) / Cost of investment = ($420,000 * 0.85) / $50,000 = 714%
Such large attacks can be avoided with a fraction of investment in the right cybersecurity tools and services.
Cascading effect of Cyber-attacks – Loss of future
When an enterprise’s network is breached, not only its current assets are at risk but also its future. Many government projects demand clean background checks and expect uncompromised security from their vendors. The companies that have been hit by cyber-attacks, due to lack of cybersecurity practices, can potentially miss those valuable government contracts. This greatly affects the company’s growth both in terms of the balance sheet and its brand value in the market.
- A proactive approach toward cybersecurity should be deployed.
- Investment in cybersecurity solutions should be seen through a holistic lens and not as a sunk cost.
- Though the US Cybersecurity budget is climbing up the ladder, a lot more needs to be done.
- A thorough risk assessment should be performed before opting for cybersecurity solutions
- Cybersecurity Awareness Programs are key in trimming down the costs.
- CISO and CFO should work hand in glove when it comes to deploying cyber security solutions.
- The return and potential of cybersecurity investment are even more than what ROSI suggests.
- Evaluating and prioritizing various assets across the company is key.
Investing in cybersecurity tools not only means protecting your present,
But also assuring your future.