Why You Need a Separate Cybersecurity Budget
Cybercrime and cyberattacks are growing each year, and many organizations lack the defenses to protect themselves adequately. This isn't news; happier IT (and our cybersecurity sister company EnterProtect) have been following this for years, but unfortunately, it is still a fact.
Part of the issue stems from organizations not having a separate cybersecurity budget and expecting to protect from escalating threats without adding additional funding for cybersecurity. Most organizations budget an annual increase of 4-5% growth for their annual IT budget to cope with rising labor, hardware, and software costs, but leaving nothing extra for increased investment in cybersecurity. "Robbing Peter to Pay Paul" (reallocating funding from IT to cybersecurity) requires shortcuts and cutbacks to IT investments that can result in decreased reliability of your IT systems, lower staff productivity, and reduced competitiveness in the marketplace.
When polled, Executives and Board members will unanimously agree that cybercrime is an increasing threat to their organization. Likewise, they will agree that insurance companies, lawmakers, regulators, and even companies entering into contracts are increasing their cybersecurity requirements. These executives understand that increasing cybersecurity requires additional investment.
Top executives also understand that if their organization falls victim to a cyberattack and fails to take precautions, they will be held personally responsible and may be considered negligent.
Organizations that take cybersecurity seriously typically have a separate cybersecurity budget that falls under risk management, not under operations. These organizations increase their dedicated cybersecurity budget by an average of 12% per year.
What should you do?
Determine if you have any Cybersecurity requirements
Many organizations are surprised to find they have committed to having specific cybersecurity controls in place that they don't have.
Make a list of contracts, regulators, insurance companies, and other organizations or agreements with data protection or cybersecurity requirements.
Create a spreadsheet containing all requirements you are already committed to meeting.
Get Executive Buy-in
Talk to your top executives and board and ask them if they agree that cybercrime and cyberattacks are a growing threat and of increasing importance to them.
Present the requirements you uncovered (and where you do not meet these requirements fully)
Establish why a separate budget is needed
Explain that cybersecurity is different from IT and that cyberthreats are continuing to grow and evolve
Explain that third parties will continue to increase their requirements as cybersecurity continues to evolve
Begin working with happier IT to build a preliminary cybersecurity plan/budget
Present a tentative budget to your board / executive leadership
Explain that cybersecurity is an ongoing evolution
Explain that their investment lessens their risk, but nothing in 100%
Establish a cybersecurity budget
Ask for a separate cybersecurity budget to help protect the organization from threats.
Ensure the budget has an annual increase baked-in. Remember IT labor, hardware, and software increase about 5% per year. If you want to keep up with cybersecurity and not just maintain your current position, you will need a larger annual increase than a typical IT budget. The further behind your cybersecurity is today, the more you will need to invest in catching up. In addition, the more third-parties your organization is beholden to, the more you will need to budget to meet their increasing requirements.
Have the board/executive approve the new Cybersecurity budget