How much cybersecurity budget or investment does an organization need to effectively plan to reduce the number of security incidents and data breaches? How can security practitioners convince the board of directors (BoD) to approve this budget?
This is a very complex question. Let me try to break it into three parts.
For the purposes of this discussion, it should be acknowledged that cybersecurity and information security go hand in glove—meaning they are very difficult to segregate in general terms.
How Much Should an Organization Invest in
Security?
The easy answers to this question are “It is not
possible to say” or “It depends on various factors.”
However, this is an interesting question because it
is a challenging question and requires us to
understand each term. Then we need to relate these
terms to find the answer.
Cybersecurity budgets or investments refer to investments made specifically for implementing cybersecurity programs. The best we can do is to determine what the budget should be indicatively. Why indicatively? Because a typical tool might support both information and cybersecurity. For example, a firewall could help control network traffic while, at the same time with appropriate rules settings, it may also indicate a possible cybersecurity event. Thus, an investment in a firewall is difficult to segregate into how much of the investment is for information security and how much is for cybersecurity. One could argue that we can compute based on experience, thus, a formula to arrive at the division of costs can be determined. But does the need merit this kind of effort?
One could also argue that there are specific tools implemented for security, such as security information and event management (SIEM) solutions, that are directly associated with security. To add to the complexity, we need to identify and allocate the operational costs specifically to cybersecurity if the same facility area is used for both IT and cybersecurity operations. As if this complexity is not enough, there is another layer of complexity to consider: the cost of the security tools and the configurability required to make them useful to the organization, which depends on the organization's IT infrastructure and requirements.
Depending on these variables, the efficacy of the tools could be well below 100 percent. Therefore, while one can argue that budgets can be determined, it is not easy to come to a conclusion without a debate. Determining security investments is difficult, though not impossible.
How Resources Are Used to Reduce Security
Incidents and Data Breaches
This is the objective of every chief information
security officer (CISO). However, it is difficult to
establish the relationship between a reduced
number of incidents and the amount of investments
in security. Here is why:
- Optimized tools may help detect many security incidents much earlier, though there can be false positives and false negatives that require human intelligence. An endpoint trying to communicate out of the domain might be genuine traffic or a targeted attack, which needs to be confirmed.
- Tools may identify the presence of an attacker, but the organization may not be able to take action and stop the attack. There are cases in which a security team has had to sustain through a distributed denial-of-service (DDoS) attack because the attacker was smart enough to change attack IPs frequently, making it impossible to block.
- Attacks such as SolarWinds, in which a trusted supplier was compromised and sent malware that breached data, remain possible.
RISK CAN BE MITIGATED BY SOME SIMPLE BUT LESS EFFECTIVE CONTROLS THAT DO NOT REQUIRE SIGNIFICANT INVESTMENTS.
In all these situations, there may be state-of-the art technology, but incidents still may impact the organization. For example, investment in multiple security tools may induce the Peltzman Effect, a theory that states that people are more likely to engage in risky behavior when security measures have been mandated.1
Another aspect of increased security investment is initiated by compliance requirements. While use of such technologies might be useful, they may or may not be justified by a cost-benefit analysis. Sometimes, decision-makers may feel as if the organization cannot afford to comply with privacy and security requirements.
As an auditor and consultant, I used to tell the clients not to invest in security just because a tool is available or other organizations are investing. Risk can be mitigated by some simple but less effective controls that do not require significant investments. Regulators/legislators need to take such an approach to ensure better and still cost-effective compliance.
Gaining Board Support for Security Investments
Often, CISOs complain about the challenges they
face when it comes to budget allocation. Getting
approval for the right security budget is always a
difficult task because justifying costs for security
can be difficult, though not impossible. Senior
management and the BoD often are more interested
in business-related issues that are likely to add to
growth and revenue, whereas security does not
contribute directly to revenue or growth.
Traditionally, information security has been considered a cost center since it requires additional specialized resources, both technical and in the form of skilled personnel and employee training. The focus of senior management and the BoD will always be primarily on business activities and growth and how this translates into inflows for the stakeholders. Therefore, it is important for CISOs to:
- Understand business strategies and objectives and review the security strategies and objectives to ensure that they are aligned.
- Review the risk register. It is important to ensure that the risk assessment results are expressed in business terms. This may be achieved by developing risk scenarios that can easily be understood by business managers. For example, nonavailability of a network may impact online service delivery, or a bug in an application may result in interruption of services to customers.
- Ask the business function owner to assess the loss to business in case any such scenario materializes. Since business function owners monitor business function, they are in a better position to assess the impact on business.
- Verify threats and their likelihood from technology managers since they can answer questions about why technologies can fail.
- Use these results to determine controls and confirm the results with risk owners.
- Develop plans for implementing control.
- Prepare cost-benefit for control charts considering technology, operations, resources required, etc.
- Prepare business cases by expressing the risk assessment results in business terms using a business impact assessment. A business case prepared by expressing the benefits in business has a higher probability of getting management approval.
After implementing controls, the monitoring process must take inputs from business cases and present to the benefits gained through implementation of the controls to management. This helps management understand how much revenue loss has been averted by security, thereby driving home the realization that the security function is not just a cost center but an integral part of business activities.
Endnotes
1 TechTarget, Peltzman Effect, WhatIs.com, December 2018, https://whatis.techtarget.com/definition/Peltzman-Effect
Sunil Bakshi, CISA, CRISC, CISM, CGEIT, CDPSE, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP
Has worked in IT, IT governance, IS audit, information security and IT risk management. He has 40 years of experience in various positions in different industries. Currently, he is a freelance consultant in India.