As businesses across all industries evolve, once discretionary expenses become operating costs.  Insurance coverage, for example, is pretty much ‘a must’ across many industries. The latest may be cybersecurity costs, because protecting your most important currency, information, requires ongoing attention. When looking at your cybersecurity budget, factor in every part of the recipe. What are some items you can bake into your cybersecurity budget that will reduce your overall risk posture?

How to Talk to the C-Suite About Cybersecurity Costs

If you’re smart about how you spend and allocate your information security budget, you can actually turn your cyber-related expenses into competitive advantages. And you’ll make a lot of friends if you can do that. Therefore, as you plan for your coming year’s budget, make sure you are speaking a language the decision makers understand. Remember, it’s not just about bits and bytes, firewalls and routers; it’s also about business speak. Learn to talk about why these cybersecurity costs are worth it to the C-suite: 

  • Cash flow (Can the business financially sustain what you’re asking for?)
  • Collateral (in case you need to borrow against assets)
  • Capital (How much do you have in the piggybank that can be used?)
  • Character (This not only goes for you, but who you’re relying on.)
  • Conditions (What’s the outlook like?)

Yes, these are the ‘five Cs’ of credit and lending analysis. Effectively, you’re asking management to invest in your cybersecurity training and budget, meaning they’re going to want to see a return on investment. If you can’t quantify what you’re asking for, don’t expect to get it, even more so in 2021.

Vulnerability Assessments and Fixes

If you can’t perform vulnerability assessments internally, there’s good news. This type of cybersecurity costs are dropping where this service is commoditized more and more. As a buyer, that puts you in a good negotiating position to do this often and even with flat rates. Also, using an external vendor keeps you honest even if you could do it yourself. In a perfect world, you should aim to conduct assessments every three or six months. Today, once a year is a minimum.

There’s a catch: remediation. An assessment without corrective action is kind of like buying a gym membership and not using it. Cyber hygiene requires action. If you can’t make corrections on your own, work with your vendor. It’s a good time to start working on some longer-term contracts. 

Penetration Tests

Business thinker Peter Drucker says, “Plans are only good intentions unless they immediately degenerate into hard work.”

Think of vulnerability assessments as good intentions and penetration tests as hard work. Pen tests are more in-depth and run the risk of becoming open-ended, so set clear borders and rules. But also make sure to have an annual test, otherwise you’re doing yourself a disservice.

Many vulnerability assessment vendors also offer pen test services. So, again, think about the business angle of these cybersecurity costs. This is a good time to haggle and get all these services lined and locked up. 

Include Employee Training in Cybersecurity Costs

Many larger entities make sure their employees go through some sort of internal annual information security training. With today’s threats, that’s not enough. As technical defensive measures become stronger, threat actors are changing their tactics and going low tech again, focusing on social engineering attacks. That means exploiting the human, not the code.

If you want to avoid business email compromise and ransomware, make sure your employees across the board receive regular and ongoing training so they can spot suspicious links and fraudulent emails. It’s just like the gym: you need to build up training and muscle memory. That means making sure your budget has room to support IT on an ongoing basis. Going to the ‘cybersecurity gym’ once a year does nothing for you.

Training and Certification for IT Staff

Employee burnout is real in cybersecurity spaces. Figure out a way to support your IT staff through training and certification.

There are two big pluses here. First, staff can apply the latest lessons to your systems. Second, you are helping them through career development. That goes a long way and can improve employee morale. Remember, return on investment also applies to your employees.

System Maintenance and Cybersecurity Costs

Do not let your system be further degraded or burdened. This is very important if it is nearing the end of its life cycle. The last thing you need is a big bang. But as you consider your annual maintenance costs, be cognizant that the landscape is changing rapidly. 5G deployments continue, meaning that increased endpoint protection, event management and orchestration are all going to come closer to the front of mind. Digital transformation is on the rise as legacy systems are reaching end-of-life. 

So while it may not be in your 2021 plans, be mindful of how to plan ahead. Just like at some point it’s not worth it to fix an old car, the same applies to your systems. An expensive annual maintenance cost is a warning sign. In this case, consider an upgrade or overhaul.

Cyber Insurance

You can’t talk about long-term cybersecurity costs without factoring in insurance. If you don’t have some cyber insurance, look into getting some. Do the math and find what’s right for you, but keep this in mind: cyber insurance without everything else above may end up costing you more than you think.

We’re not there yet, but cyber insurance may soon become akin to flood insurance. With many cyber claims still made through general coverage policies, there will come a point where the insurance industry throws a flag on this business model. That may mean cyber insurance coverage will require things like regular vulnerability assessments, remediation, pen tests and training, all items mentioned above. And don’t forget certifications and audits as proof.

Piece-by-Piece, Build Your Defenses

In closing, cybersecurity costs may be high, but they’re a good long-term investment. Build your cybersecurity budget with the above tips in mind. All of them combine into a recipe to help you improve your cyber resilience

More from Security Services

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

How I Got Started: Offensive Security

3 min read - In the high-stakes world of cybersecurity, offensive security experts play a pivotal role in identifying and mitigating potential threats. These professionals, sometimes referred to as “ethical hackers”, use their skills to probe networks and systems in search of vulnerabilities, ultimately helping organizations fortify their digital defenses. In this exclusive Q&A, we spoke with a seasoned offensive security professional. Benjamin Netter is a cybersecurity expert and the founder and CEO of Riot, a cybersecurity platform created for employee protection. His goal is…

3 min read

Is Your Critical SaaS Data Secure?

4 min read - Increasingly sophisticated adversaries create a significant challenge as organizations increasingly use Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) to deliver applications and services. This mesh of cloud-based applications and services creates new complexities for security teams. But attackers need only one success, while defenders need to succeed 100% of the time. Organizations are contending with an exponential rise in advanced threats that are not only increasing in volume but also sophistication. The IBM Cost of Data Breach Report 2022 found…

4 min read

Rationalizing Your Hybrid Cloud Security Tools

3 min read - As cyber incidents rise and threat landscapes widen, more security tools have emerged to protect the hybrid cloud ecosystem. As a result, security leaders must rapidly assess their hybrid security tools to move toward a centralized toolset and optimize cost without compromising their security posture. Unfortunately, those same leaders face a variety of challenges. One of these challenges is that many security solutions create confusion and provide a false sense of security. Another is that multiple tools provide duplication coverage…

3 min read