January 15, 2021 By George Platsis 4 min read

As businesses across all industries evolve, once discretionary expenses become operating costs.  Insurance coverage, for example, is pretty much ‘a must’ across many industries. The latest may be cybersecurity costs, because protecting your most important currency, information, requires ongoing attention. When looking at your cybersecurity budget, factor in every part of the recipe. What are some items you can bake into your cybersecurity budget that will reduce your overall risk posture?

How to Talk to the C-Suite About Cybersecurity Costs

If you’re smart about how you spend and allocate your information security budget, you can actually turn your cyber-related expenses into competitive advantages. And you’ll make a lot of friends if you can do that. Therefore, as you plan for your coming year’s budget, make sure you are speaking a language the decision makers understand. Remember, it’s not just about bits and bytes, firewalls and routers; it’s also about business speak. Learn to talk about why these cybersecurity costs are worth it to the C-suite: 

  • Cash flow (Can the business financially sustain what you’re asking for?)
  • Collateral (in case you need to borrow against assets)
  • Capital (How much do you have in the piggybank that can be used?)
  • Character (This not only goes for you, but who you’re relying on.)
  • Conditions (What’s the outlook like?)

Yes, these are the ‘five Cs’ of credit and lending analysis. Effectively, you’re asking management to invest in your cybersecurity training and budget, meaning they’re going to want to see a return on investment. If you can’t quantify what you’re asking for, don’t expect to get it, even more so in 2021.

Vulnerability Assessments and Fixes

If you can’t perform vulnerability assessments internally, there’s good news. This type of cybersecurity costs are dropping where this service is commoditized more and more. As a buyer, that puts you in a good negotiating position to do this often and even with flat rates. Also, using an external vendor keeps you honest even if you could do it yourself. In a perfect world, you should aim to conduct assessments every three or six months. Today, once a year is a minimum.

There’s a catch: remediation. An assessment without corrective action is kind of like buying a gym membership and not using it. Cyber hygiene requires action. If you can’t make corrections on your own, work with your vendor. It’s a good time to start working on some longer-term contracts. 

Penetration Tests

Business thinker Peter Drucker says, “Plans are only good intentions unless they immediately degenerate into hard work.”

Think of vulnerability assessments as good intentions and penetration tests as hard work. Pen tests are more in-depth and run the risk of becoming open-ended, so set clear borders and rules. But also make sure to have an annual test, otherwise you’re doing yourself a disservice.

Many vulnerability assessment vendors also offer pen test services. So, again, think about the business angle of these cybersecurity costs. This is a good time to haggle and get all these services lined and locked up. 

Include Employee Training in Cybersecurity Costs

Many larger entities make sure their employees go through some sort of internal annual information security training. With today’s threats, that’s not enough. As technical defensive measures become stronger, threat actors are changing their tactics and going low tech again, focusing on social engineering attacks. That means exploiting the human, not the code.

If you want to avoid business email compromise and ransomware, make sure your employees across the board receive regular and ongoing training so they can spot suspicious links and fraudulent emails. It’s just like the gym: you need to build up training and muscle memory. That means making sure your budget has room to support IT on an ongoing basis. Going to the ‘cybersecurity gym’ once a year does nothing for you.

Training and Certification for IT Staff

Employee burnout is real in cybersecurity spaces. Figure out a way to support your IT staff through training and certification.

There are two big pluses here. First, staff can apply the latest lessons to your systems. Second, you are helping them through career development. That goes a long way and can improve employee morale. Remember, return on investment also applies to your employees.

System Maintenance and Cybersecurity Costs

Do not let your system be further degraded or burdened. This is very important if it is nearing the end of its life cycle. The last thing you need is a big bang. But as you consider your annual maintenance costs, be cognizant that the landscape is changing rapidly. 5G deployments continue, meaning that increased endpoint protection, event management and orchestration are all going to come closer to the front of mind. Digital transformation is on the rise as legacy systems are reaching end-of-life. 

So while it may not be in your 2021 plans, be mindful of how to plan ahead. Just like at some point it’s not worth it to fix an old car, the same applies to your systems. An expensive annual maintenance cost is a warning sign. In this case, consider an upgrade or overhaul.

Cyber Insurance

You can’t talk about long-term cybersecurity costs without factoring in insurance. If you don’t have some cyber insurance, look into getting some. Do the math and find what’s right for you, but keep this in mind: cyber insurance without everything else above may end up costing you more than you think.

We’re not there yet, but cyber insurance may soon become akin to flood insurance. With many cyber claims still made through general coverage policies, there will come a point where the insurance industry throws a flag on this business model. That may mean cyber insurance coverage will require things like regular vulnerability assessments, remediation, pen tests and training, all items mentioned above. And don’t forget certifications and audits as proof.

Piece-by-Piece, Build Your Defenses

In closing, cybersecurity costs may be high, but they’re a good long-term investment. Build your cybersecurity budget with the above tips in mind. All of them combine into a recipe to help you improve your cyber resilience

More from Security Services

Pentesting vs. Pentesting as a Service: Which is better?

5 min read - In today's quickly evolving cybersecurity landscape, organizations constantly seek the most effective ways to secure their digital assets. Penetration testing (pentesting) has emerged as a leading solution for identifying potential system vulnerabilities while closing security gaps that can lead to an attack. At the same time, a newer entrant into the security arena is Pentesting as a Service (PTaaS). Although PTaaS shares some similarities with pentesting, distinct differences make them two separate solutions. This article will discuss how these methodologies…

How I got started: Attack surface management

4 min read - As the threat landscape multiplies in sophistication and complexity, new roles in cybersecurity are presenting themselves more frequently than ever before. For example, attack surface management. These cybersecurity professionals are responsible for identifying, mapping and securing all external digital assets an organization owns or is connected to. This includes servers, domains, cloud assets and any other digital points that could be exploited by cyber criminals. Their role involves continuously monitoring these assets for vulnerabilities, misconfigurations or other potential security risks…

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

Does your security program suffer from piecemeal detection and response?

4 min read - Piecemeal Detection and Response (PDR) can manifest in various ways. The most common symptoms of PDR include: Multiple security information and event management (SIEM) tools (e.g., one on-premise and one in the cloud) Spending too much time or energy on integrating detection systems An underperforming security orchestration, automation and response (SOAR) system Only capable of taking automated responses on the endpoint Anomaly detection in silos (e.g., network separate from identity) If any of these symptoms resonate with your organization, it's…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today