As businesses across all industries evolve, once discretionary expenses become operating costs.  Insurance coverage, for example, is pretty much ‘a must’ across many industries. The latest may be cybersecurity costs, because protecting your most important currency, information, requires ongoing attention. When looking at your cybersecurity budget, factor in every part of the recipe. What are some items you can bake into your cybersecurity budget that will reduce your overall risk posture?

How to Talk to the C-Suite About Cybersecurity Costs

If you’re smart about how you spend and allocate your information security budget, you can actually turn your cyber-related expenses into competitive advantages. And you’ll make a lot of friends if you can do that. Therefore, as you plan for your coming year’s budget, make sure you are speaking a language the decision makers understand. Remember, it’s not just about bits and bytes, firewalls and routers; it’s also about business speak. Learn to talk about why these cybersecurity costs are worth it to the C-suite: 

  • Cash flow (Can the business financially sustain what you’re asking for?)
  • Collateral (in case you need to borrow against assets)
  • Capital (How much do you have in the piggybank that can be used?)
  • Character (This not only goes for you, but who you’re relying on.)
  • Conditions (What’s the outlook like?)

Yes, these are the ‘five Cs’ of credit and lending analysis. Effectively, you’re asking management to invest in your cybersecurity training and budget, meaning they’re going to want to see a return on investment. If you can’t quantify what you’re asking for, don’t expect to get it, even more so in 2021.

Vulnerability Assessments and Fixes

If you can’t perform vulnerability assessments internally, there’s good news. This type of cybersecurity costs are dropping where this service is commoditized more and more. As a buyer, that puts you in a good negotiating position to do this often and even with flat rates. Also, using an external vendor keeps you honest even if you could do it yourself. In a perfect world, you should aim to conduct assessments every three or six months. Today, once a year is a minimum.

There’s a catch: remediation. An assessment without corrective action is kind of like buying a gym membership and not using it. Cyber hygiene requires action. If you can’t make corrections on your own, work with your vendor. It’s a good time to start working on some longer-term contracts. 

Penetration Tests

Business thinker Peter Drucker says, “Plans are only good intentions unless they immediately degenerate into hard work.”

Think of vulnerability assessments as good intentions and penetration tests as hard work. Pen tests are more in-depth and run the risk of becoming open-ended, so set clear borders and rules. But also make sure to have an annual test, otherwise you’re doing yourself a disservice.

Many vulnerability assessment vendors also offer pen test services. So, again, think about the business angle of these cybersecurity costs. This is a good time to haggle and get all these services lined and locked up. 

Include Employee Training in Cybersecurity Costs

Many larger entities make sure their employees go through some sort of internal annual information security training. With today’s threats, that’s not enough. As technical defensive measures become stronger, threat actors are changing their tactics and going low tech again, focusing on social engineering attacks. That means exploiting the human, not the code.

If you want to avoid business email compromise and ransomware, make sure your employees across the board receive regular and ongoing training so they can spot suspicious links and fraudulent emails. It’s just like the gym: you need to build up training and muscle memory. That means making sure your budget has room to support IT on an ongoing basis. Going to the ‘cybersecurity gym’ once a year does nothing for you.

Training and Certification for IT Staff

Employee burnout is real in cybersecurity spaces. Figure out a way to support your IT staff through training and certification.

There are two big pluses here. First, staff can apply the latest lessons to your systems. Second, you are helping them through career development. That goes a long way and can improve employee morale. Remember, return on investment also applies to your employees.

System Maintenance and Cybersecurity Costs

Do not let your system be further degraded or burdened. This is very important if it is nearing the end of its life cycle. The last thing you need is a big bang. But as you consider your annual maintenance costs, be cognizant that the landscape is changing rapidly. 5G deployments continue, meaning that increased endpoint protection, event management and orchestration are all going to come closer to the front of mind. Digital transformation is on the rise as legacy systems are reaching end-of-life. 

So while it may not be in your 2021 plans, be mindful of how to plan ahead. Just like at some point it’s not worth it to fix an old car, the same applies to your systems. An expensive annual maintenance cost is a warning sign. In this case, consider an upgrade or overhaul.

Cyber Insurance

You can’t talk about long-term cybersecurity costs without factoring in insurance. If you don’t have some cyber insurance, look into getting some. Do the math and find what’s right for you, but keep this in mind: cyber insurance without everything else above may end up costing you more than you think.

We’re not there yet, but cyber insurance may soon become akin to flood insurance. With many cyber claims still made through general coverage policies, there will come a point where the insurance industry throws a flag on this business model. That may mean cyber insurance coverage will require things like regular vulnerability assessments, remediation, pen tests and training, all items mentioned above. And don’t forget certifications and audits as proof.

Piece-by-Piece, Build Your Defenses

In closing, cybersecurity costs may be high, but they’re a good long-term investment. Build your cybersecurity budget with the above tips in mind. All of them combine into a recipe to help you improve your cyber resilience

More from Security Services

5 Golden Rules of Threat Hunting

When a breach is uncovered, the operational cadence includes threat detection, quarantine and termination. While all stages can occur within the first hour of discovery, in some cases, that's already too late.Security operations center (SOC) teams monitor and hunt new threats continuously. To ward off the most advanced threats, security teams proactively hunt for ones that evade the dashboards of their security solutions.However, advanced threat actors have learned to blend in with their target's environment, remaining unnoticed for prolonged periods. Based…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

An IBM Hacker Breaks Down High-Profile Attacks

On September 19, 2022, an 18-year-old cyberattacker known as "teapotuberhacker" (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer's worst nightmare. In addition, the malicious actor claimed responsibility for a…

Log4j Forever Changed What (Some) Cyber Pros Think About OSS

In late 2021, the Apache Software Foundation disclosed a vulnerability that set off a panic across the global tech industry. The bug, known as Log4Shell, was found in the ubiquitous open-source logging library Log4j, and it exposed a huge swath of applications and services. Nearly anything from popular consumer and enterprise platforms to critical infrastructure and IoT devices was exposed. Over 35,000 Java packages were impacted by Log4j vulnerabilities. That’s over 8% of the Maven Central repository, the world’s largest…