As businesses across all industries evolve, once discretionary expenses become operating costs. Insurance coverage, for example, is pretty much ‘a must’ across many industries. The latest may be cybersecurity costs, because protecting your most important currency, information, requires ongoing attention. When looking at your cybersecurity budget, factor in every part of the recipe. What are some items you can bake into your cybersecurity budget that will reduce your overall risk posture?
How to Talk to the C-Suite About Cybersecurity Costs
If you’re smart about how you spend and allocate your information security budget, you can actually turn your cyber-related expenses into competitive advantages. And you’ll make a lot of friends if you can do that. Therefore, as you plan for your coming year’s budget, make sure you are speaking a language the decision makers understand. Remember, it’s not just about bits and bytes, firewalls and routers; it’s also about business speak. Learn to talk about why these cybersecurity costs are worth it to the C-suite:
- Cash flow (Can the business financially sustain what you’re asking for?)
- Collateral (in case you need to borrow against assets)
- Capital (How much do you have in the piggybank that can be used?)
- Character (This not only goes for you, but who you’re relying on.)
- Conditions (What’s the outlook like?)
Yes, these are the ‘five Cs’ of credit and lending analysis. Effectively, you’re asking management to invest in your cybersecurity training and budget, meaning they’re going to want to see a return on investment. If you can’t quantify what you’re asking for, don’t expect to get it, even more so in 2021.
Vulnerability Assessments and Fixes
If you can’t perform vulnerability assessments internally, there’s good news. This type of cybersecurity costs are dropping where this service is commoditized more and more. As a buyer, that puts you in a good negotiating position to do this often and even with flat rates. Also, using an external vendor keeps you honest even if you could do it yourself. In a perfect world, you should aim to conduct assessments every three or six months. Today, once a year is a minimum.
There’s a catch: remediation. An assessment without corrective action is kind of like buying a gym membership and not using it. Cyber hygiene requires action. If you can’t make corrections on your own, work with your vendor. It’s a good time to start working on some longer-term contracts.
Penetration Tests
Business thinker Peter Drucker says, “Plans are only good intentions unless they immediately degenerate into hard work.”
Think of vulnerability assessments as good intentions and penetration tests as hard work. Pen tests are more in-depth and run the risk of becoming open-ended, so set clear borders and rules. But also make sure to have an annual test, otherwise you’re doing yourself a disservice.
Many vulnerability assessment vendors also offer pen test services. So, again, think about the business angle of these cybersecurity costs. This is a good time to haggle and get all these services lined and locked up.
Include Employee Training in Cybersecurity Costs
Many larger entities make sure their employees go through some sort of internal annual information security training. With today’s threats, that’s not enough. As technical defensive measures become stronger, threat actors are changing their tactics and going low tech again, focusing on social engineering attacks. That means exploiting the human, not the code.
If you want to avoid business email compromise and ransomware, make sure your employees across the board receive regular and ongoing training so they can spot suspicious links and fraudulent emails. It’s just like the gym: you need to build up training and muscle memory. That means making sure your budget has room to support IT on an ongoing basis. Going to the ‘cybersecurity gym’ once a year does nothing for you.
Training and Certification for IT Staff
Employee burnout is real in cybersecurity spaces. Figure out a way to support your IT staff through training and certification.
There are two big pluses here. First, staff can apply the latest lessons to your systems. Second, you are helping them through career development. That goes a long way and can improve employee morale. Remember, return on investment also applies to your employees.
System Maintenance and Cybersecurity Costs
Do not let your system be further degraded or burdened. This is very important if it is nearing the end of its life cycle. The last thing you need is a big bang. But as you consider your annual maintenance costs, be cognizant that the landscape is changing rapidly. 5G deployments continue, meaning that increased endpoint protection, event management and orchestration are all going to come closer to the front of mind. Digital transformation is on the rise as legacy systems are reaching end-of-life.
So while it may not be in your 2021 plans, be mindful of how to plan ahead. Just like at some point it’s not worth it to fix an old car, the same applies to your systems. An expensive annual maintenance cost is a warning sign. In this case, consider an upgrade or overhaul.
Cyber Insurance
You can’t talk about long-term cybersecurity costs without factoring in insurance. If you don’t have some cyber insurance, look into getting some. Do the math and find what’s right for you, but keep this in mind: cyber insurance without everything else above may end up costing you more than you think.
We’re not there yet, but cyber insurance may soon become akin to flood insurance. With many cyber claims still made through general coverage policies, there will come a point where the insurance industry throws a flag on this business model. That may mean cyber insurance coverage will require things like regular vulnerability assessments, remediation, pen tests and training, all items mentioned above. And don’t forget certifications and audits as proof.
Piece-by-Piece, Build Your Defenses
In closing, cybersecurity costs may be high, but they’re a good long-term investment. Build your cybersecurity budget with the above tips in mind. All of them combine into a recipe to help you improve your cyber resilience.
Senior Director, Educator and Author