After rival Equifax got hacked, credit-rating firm Fair Isaac Corp. (FICO) did the logical thing: It boosted its cybersecurity budget.
“I went back to my CFO and I said, ‘Whatever you’re doing, I want you to put another $10 million in cyber,” FICO CEO William Lansing told The Wall Street Journal.
Since he didn’t outline how the money would be spent, Lansing’s $10 million seems like an arbitrary number. Most companies operate in a similar fashion: figuring a cybersecurity budget is often a mix of emotion and guesswork. A smarter way is to first determine where your spending is going, and then determine your company’s tolerance for risk and set your budget accordingly.
What companies spend
A recent Gartner report shows most companies spend between 1% and 13% of their IT budget on cybersecurity, with the average at 5.6%. Edward Stroz, founder and executive chairman of Stroz Friedberg, a worldwide cybersecurity consultancy, said most companies don’t really know what they should spend. “We don’t have enough experience going back in time to really get a sense of proportion about what spending should be,” he said in an interview with Security Roundtable. “There are other areas where people have five, 10, 15 years of experience from which to make a decision about what spending should be.”
Stroz said that measuring a cybersecurity budget as a proportion of the IT budget is a flawed approach, because the risk doesn’t necessarily rise if you buy more expensive equipment. “A $1,200 laptop can be a $7 million [security-risk] issue depending on what’s on it,” he explained.
Steve Santorelli, director of intelligence and outreach at Team Cyrmru, a nonprofit research firm, said that, generally, companies should base their budgets on breach history and industry susceptibility. For instance, if a company has been breached in the past, it can factor in the costs of those events when such breaches don’t happen. For instance, if a past breach cost the company $5 million, then one might assume that the company “saved” $5 million during a year without a breach.
Of course, business issues such as this aren’t usually that orderly. “With cyber, [breaches of some sort] could have happened five years ago and you don’t know it,” said Barbara Filkins, a senior analyst with the SANS Technology Group. “You’re not ever 100% sure that you’ve eradicated the problem.”
Industry susceptibility depends on what business you’re in. “If you are a medical service provider, you have a different set of legal criteria that you need to constantly invest in,” Santorelli said. “If you are a lightly regulated business that is also traditionally a target for miscreants—for example, hosting providers—then you are going to want to strike the balance between the cost of protection and the probable losses that you are prepared to pass onto your customers.”
Waste should also be factored in. The average company spends around $15 million on cybersecurity. But the Ponemon Institute estimates that $1.2 million of that is wasted chasing erroneous or inaccurate alerts.
Often, spending more on cybersecurity simply means getting more data about threats and more data about what’s going on in your system. To use a medical analogy, it can be like going to the doctor’s office 12 times a day: It really won’t make you any healthier.
That’s why Stroz recommends using proactive measures, such as two-factor—or even multifactor—authentication and network segmentation. Such actions aren’t expensive, but they can be inconvenient. For instance, two-factor can annoying to users if, for some reason, they get locked out of the system. A recent survey found that 74% of companies that use two-factor authentication receive complaints about it, and 10% of their users actively hate it. Segmentation can also be a “pain” when employing security vulnerability scans and users find that their computing experience is impeded by it.
In addition to gauging their tolerance for inconvenience, businesses should also determine their risk tolerance, Stroz explained. Chances are, they already have—for areas outside of cybersecurity, anyway. “If you ask most organizations what their credit risk-management policy is, they probably have a good idea,” he said. “If you turn around and ask about the risk appetite for cybersecurity, they probably don’t know.”
Stroz maintains it’s impossible to set a coherent budget without understanding and setting risk tolerance. A recent PwC survey found that “adding new technologies” was the top spending priority, cited by 47% of executives, but only 24% said redesigning cybersecurity was at the forefront. “That indicates that people are spending before they properly assess risk,” Stroz surmised.
Risk tolerance varies tremendously. Startups might be willing to take big risks, but established companies in highly regulated fields, such as healthcare, are more risk averse. Third-party firms can help assess risk tolerance, Stroz noted, but only the companies themselves can know what their limits are. “It’s like your appetite for food,” he said. “Only you know it.”
Lots of conversations
While determining risk can be a formal process, a big part of smart budgeting is having conversations. Santorelli advised questioning CIOs, CISOs, and other tech and non-tech executives in other companies to get a reality check on marketing claims for security products.
Maintaining a dialogue is also vital to establishing the trust required to set a budget. For instance, a C-suite member might want to suggest cutting the cybersecurity budget, but she might also want to avoid blame if the company suffers a data breach, so she stays quiet. That’s how companies can waste money. An overly compliant C-suite is also neglecting its duty to hold CIOs and CISOs accountable for spending. In a healthy culture, such dialogue isn’t off limits—and budgets will be all the better for it.
“If the tone at the top isn’t set the right way and the board doesn’t show an interest in this, then the board will wind up managing their fear,” Stroz said. “If you’re managing fear, it’s going to victimize the company.”
The best remedy for that, according to Stroz, is for C-suite members to educate themselves about cybersecurity. “You owe it to yourself to ask better questions,” Stroz said.