The easiest answer to the question of how much a company should spend on security seems to be: well, how much do you have? Since the dawn of time, for those who have money, the best way to get rid of a problem is to throw money at it, and security can seem like no exception.
If you’re spending thousands, hundreds of thousands, or even millions to keep the bad guys out, it must be working, right? But companies like Facebook, and its whole scandal, or any major retailer with a credit card data breach in the last few years can attest to the fact that more spend doesn’t always equal better results. And when it comes to security, results are what matter.
Read the (board) room
Budgets are a numbers game, obviously, so let’s explore some numbers. Security is an industry just like any other, and business is booming. According to Gartner, the world is on track to break $124 billion in spending on security this year, compared with $114 billion in 2018. That’s a solid chunk of change, and it’s snowballing every single year.
CIO reported that in 2018 a quarter of businesses were spending on average 10-20% of their total IT budgets on security. This is right around the recommended amount of 13.7%, which was proposed by the IDC in 2015. If you want a hard and fast rule, that’s an okay one to live by, but simply doing what all the other kids are doing isn’t going to cut it. There are other factors at play when determining your security budget.
One of the best parts of being alive at this point in time is getting to see new, previously-only-dreamt-of technology come to life. While we’re still waiting on readily-available flying cars like Back to the Future promised us, we’ve still got some jaw-dropping technology both here and on its way.
From game-changing tech like Artificial Intelligence and blockchain technology to new regulations like the whole GDPR fiasco (every marketer’s worst nightmare), it seems like nothing ever stays the same for very long on the good ol’ internet.
Creative security solutions like AI breach detection are becoming more popular, with Capgemini reporting 48% of companies plan on throwing an extra 29% into their security budget for implementing more AI.
With these solutions, though, comes the converse. The bad guys are already starting to use AI against us, with a bizarre example happening this past March. Hackers used AI to impersonate a UK energy firm’s CEO’s voice, resulting in hundreds of thousands of dollars being stolen.
No matter what awe-inspiring technology the good guys come up with to keep us all safe, it’s pretty much inevitable that the same tech we trust will be used against us by the bad guys. It’s enough to make you want to pull your hair out.
Let’s talk solutions
Because of the ambiguous and ever-changing nature of technology and its uses in security, it’s hard to know for sure what the landscape will look like in 6 weeks, let alone a year, making nailing down a specific budget even more difficult. It’s easy to get overwhelmed trying to take everything in, but there are several steps to take that will help you find your way.
1. Be aware of your surroundings
It’s not just the best way to avoid a bear attack while hiking in the Rockies, it’s also one of the most important steps to successfully navigate the churning waters of cybersecurity in business. Keep yourself up-to-date on what’s going on, what the current threats are, and how you can protect yourself.
Whether it’s setting up a Google alert or two, signing up for a handful of security newsletters, or even doing your own internet search every once in a while, knowledge is power. Keeping a pulse on what’s headed your way can be the difference between nipping an issue in the bud and being completely devastated by it.
2. Analyze, forecast, record. Wash, rinse, repeat.
Hindsight is 20/20, as we all know, so take advantage of it where you can. When putting together your security budget, thoroughly analyze the past. What worked well? What was a colossal waste of time and money? What do you wish you would have done, bought, or used?
From there, and with a well-researched, accurate picture of the current landscape of cybersecurity, piece together a game plan for the coming year. This is your chance to truly learn from the past and actually do something about it for the future.
Finally, record every single cent you spend on cybersecurity, from recurring charges to unexpected emergencies. Take notes on what was the right choice and what to tweak. That’ll make the next time around easier.
3. Leave a little wiggle room
When I was about 10, my dad made me start a “car fund” for emergencies, which is where some of my allowance went each week. I thought it was stupid, until 16-year-old me got my first traffic ticket and I was able to pay for it immediately instead of picking up extra lawns to mow.
That whole situation taught me a valuable lesson: having a little nest egg stashed away specifically for security emergencies can save you and your company in the event of an unexpected visit from a hacker or a vulnerability in your security system. However you determine your security budget, leave yourself a bit extra.
4. Simplify, simplify, simplify
With more and more tools, apps, and gadgets coming out every single day in the cybersecurity space, it’s easy to be wowed by and purchase them all. As amazing as each individual tool may seem, taking the time to ensure what you’re using is truly the best option that can save you both a headache and a nice pile of cash.
I’ll give you an example. A company I worked for had a million and one tools, from password managers to proxies and everything in between. The tech bill was enormous, but it all seemed necessary, so we all thought it was justified. However, with a little digging, we were able to find a SSO (single sign-on) platform that took care of over half our issues for the price of one of the tools we had been using.
Yes, time is money, but sometimes spending a little extra time can save you a lot of extra money. Take those few hours (or delegate it) to truly understand what you’re paying for, what the alternatives are, and how you could improve.
At the end of the day, there is no firm answer on how much to spend on your security budget. Sure, there are guidelines put together by high-powered research firms, but you are the only person who knows your situation as well as you do.
How many clients you have, the size of each client, your specific company workflows, your team’s strengths and weaknesses – they all make your business unique, which makes your financial situation is unique. Instead of throwing money at every tool and service out there, take the time to truly get to know your business and what it needs. It just might be cheaper than you thought.