Make no mistake: investing in cybersecurity is critical to the health of your entire organization. Once viewed as an IT issue, cybersecurity has evolved to become an organizational issue. While the investment spans technology, personnel, and training, these costs are frequently dwarfed by potential financial and reputational losses.
Cyber threats continuously evolve, advancing in complexity and frequency at a rate that demands consistent, adequate security budgets to stay ahead of the curve. Just as medical checkups and preventative health underpin personal wellbeing, proactive cybersecurity investments are essential to organizational health and resilience.
Most organizations know they need cybersecurity. They understand that a positive cybersecurity posture helps protect sensitive data, satisfy regulatory and legal requirements, ensure business continuity, protect the organization’s reputation in the event of an attack, shore up the supply chain, and reduce insurance costs, among other things. When thinking about your cyber defense, it’s crucial that your executive team understands that it’s not a matter of “if” but “when” you’ll get hit. And when it does, it’s going to cost you – big – as cyberattacks are increasing in both frequency and cost. For example: 96% of organizations were targeted by an email-related phishing attempt in 2021, and predictions are that by 2031, ransomware will cost victims $265 billion, with attacks occurring every 2 seconds.
Despite the risks, security teams still struggle to get the funding necessary to create a robust cybersecurity posture. CISOs looking to justify their cybersecurity budgets need ways to prove return on investment, provide metrics for measuring success, and ensure continued value. Therefore, it’s critical you present the case for robust cybersecurity in a compelling fashion.
As you prepare your business case, as a starting point, be sure you:
Highlight the need in terms of the total cost of a data breach. While the average global cost of a data breach in 2023 cost organizations more than $4 million USD (which is far more than cybersecurity budgetary requirements) – a 15 percent increase over the past three years – data breaches in the U.S. are much more expensive than other countries, with average cost in the U.S. just over $9 million. Costs include more than just breach containment and remediation, but also downtime, legal expenses, regulatory fines, lost business, and long-term costs such as repairing your reputation. And costs are only expected to increase over time, so need to be emphasized as part of your request. Be sure to include examples or case studies of what could happen if your organization does not act.
Focus on the ROI of your cybersecurity request, not just the costs. Everyone loves data, and your key decision makers are no exception. While it’s true that cybersecurity is an investment and you’ll need to present what those line items entail, don’t just focus on the costs – present the whole picture including an estimated ROI. To prove out your cybersecurity ROI, be sure your calculations subtract the cost from the net gain, such as:
- Net gain from your investment, including monetary benefits or cost savings realized as a result of the cybersecurity investment. Alternatively, you could use reduced losses from security incidents, costs avoided from data breaches or increased efficiency as the result of improved security measures.
- Cost of investment, including all costs associated with implementing and maintaining your investment such as initial costs of software and hardware, operational costs, training costs and other cybersecurity-related expenses.
It’s important to note that calculating an exact ROI can be challenging. Some benefits, such as preventing a potential attack, can be difficult to quantify in monetary terms. And some costs may be over an extended period of time, making it important that executives understand the long-term impact of cybersecurity. To gather data that’s as accurate as possible, consult with finance and cybersecurity professionals.
Determine quantifiable metrics for how you will track and measure your investment. Set a clear direction and present a solid case on how your budget request will reduce risk. Create clear metrics up front. Then present how you will track risk reduction over time. One way to do this is to determine the average industry risk score (including competitors and your peers) and compare your own. For example, if the organization had a score of X to start, then compare the difference in implementing the proposed service or solution (perhaps every six months or so) to better magnify the reduction in risk. Comparing your own data with the industry average risk score will help highlight the broader security risk trends and highlight how your organization compares to others. Obviously if your company scores higher than your competitors and peers you’ve helped make your case for your cyber investment.
While there are numerous factors that go into making a business case for cybersecurity, the information above can serve as a starting point. Increasingly complex security challenges and a dynamic threat environment mean you need a strong and agile security planning, programming and budgeting process. By highlighting benefits and ROI of your proposed cybersecurity investment with the realities of what will happen if you don’t make this commitment should help your decision makers understand that an investment in cybersecurity is one they can’t afford not to make.
CyberOne Viewpoint:
By quantifying potential breach costs and disaster recovery readiness using data-driven metrics tied directly to business outcomes, security leaders make an ironclad case for critical budget increases. These lifesaving investments across people, process and technology controls act as insurance policies against exponentially rising risks in an interconnected world.
Much like dutifully paying insurance premiums amid calm waters, executives must dedicate steady security funds now before the storms hit. Cybercrime costs the world economy over $1 trillion already, yet the majority of successful attacks exploit known unpatched vulnerabilities. Clearly organizations continue underestimating the havoc from being ill-prepared – a status quo that must change immediately.
Forward-looking leaders across healthcare, retail, government and other breach-prone sectors now rightfully elevate cybersecurity to a board-level concern vital to sustaining operations. They understand addressable security gaps can no longer be the weakest link that brings hostile forces past the gates. Just one destructive breach can fatally undermine customer trust, shareholder value and an organization’s foundational mission.
By heeding security’s call to action and dedicating adequate, consistent investment into defense today, organizations globally can collaboratively reach safe harbors tomorrow. Now is the time for cyber resilience to become every executive’s shared priority before the preventable occurs.
About the Author
Ricky Allen is the Field CISO for CyberOne Security, an ISSA Fellow, where he provides security architecture design and leadership management for customers across the country. Allen was President of the South Texas ISSA chapter, and he holds certifications in SABSA Security Architecture, CISSP, CISA, and Six Sigma. Previous roles include time at Accenture as an executive in their strategic information security consulting practice and at HP Enterprise Security Products as the Practice Lead for developing Security Operations programs for ArcSight SIEM products. Allen was focused on retail and manufacturing industries while at PwC where he managed penetration testing and risk assessments for companies across the US. He has presented at conferences such as BSides, Black Hat, API Cybersecurity, HOU.SEC.CON, SANS, SecureWorld, and Data Connectors. Allen is based in Houston, TX and earned a degree in Management Information Systems from Texas A&M University.