It’s challenging for a CISO to get budget for cybersecurity. Your board of directors really wants to spend that IT money on projects and solutions that will expand the business and bring in more revenue. That’s what your shareholders value.

As breaches become more commonplace, your colleagues and customers become desensitized to the potential impact of a breach, which can downgrade their sense of urgency to protect assets in advance. New CISOs sometimes report being given no security budget at all.

A False Sense of Security

It’s less likely now that your company’s stock will fall significantly if you happen to have a public breach. This alone can lull people into a misguided, if not outright false, sense of security.

The reality is that the overall cost of a breach has been steadily rising, according to the Ponemon Institute. The cost of a data breach is composed of several things, including the cost of acting to reduce the impact, the loss of brand reputation and consumer trust, and even the cost of litigation.

So how do you show that there is value in investing in cybersecurity and justify a proper security budget? There isn’t an ROI in the way that most company accountants understand it. Much of the time you have to rely on your experience and judgment, as well as the competing claims of security vendors — none of which helps you build a compelling case when you are being asked to assess the return on the investment and tell the board members why they should spend their money on your security budget.

Speak the Board’s Language

There have been substantial efforts over the years to find a more scientific and rational approach to budget for and invest in cybersecurity. A team of researchers at the Robert H. Smith Business School at the University of Maryland developed and refined an economics-based model to help businesses with this exact problem.

The team found that an organization should invest in security solutions or services only while the expected benefits, in monetary terms, outweigh the costs, and no further than that. This is the normal way in which companies decide how to invest, whatever the field of investment, and deals with budgeting in a language a board will understand.

The researchers produced an informative video to show the basics of the model and their research findings. The video distills years of research into a four-step process to help you determine where your security budget is best spent. The basic principles are similar to those proposed by many experienced security consultants — with some key refinements.

First, classify your assets by value in terms of cost of a potential breach as well as vulnerability to a breach. Then, estimate the degree to which the solution in question will reduce the likelihood of a breach. Some simple statistics then show you how to maximize the return on your cybersecurity investment.

Security Versus Insurance

Surprisingly, it’s not always best to set out to protect your most obvious assets. Sometimes the costs of fully protecting the most vulnerable assets are impractically high. From a business return standpoint, you may be better off protecting a larger number of less vulnerable assets.

You don’t get a uniform return as you try to protect more and more assets. In many ways, this is just common sense: Some assets are so unlikely to be breached or of sufficiently low value that you will never get a benefit that balances it.

Pat Larkin of Ward Security in Dublin suggested to me that it would be better to spend budget insuring these low value assets. Cyber insurance is in its relative infancy, and the cost of insurance may change in the future as actuarial calculations have more real-life data to work with.

Bear in mind that many solutions will protect more than one asset. A security intelligence solution, for example, is deliberately designed to have a wide view and a broad impact on an organization’s security posture.

The Magic Number

The researchers used their model against real-life scenarios and found that, for most use cases, your cybersecurity budget should not exceed 37 percent of the expected losses due to a security breach. This is the point at which the costs usually (but not always) start to outweigh the expected benefits.

The average cost of a breach is $4 million — but remember this is an average, and it’s worth delving into the full study to understand the differences across industries and countries. The Ponemon Institute report should give you a place to start in assessing your budgetary needs.

The beauty of the Gordon-Loeb model is that it gives you a framework to derive costs versus benefits for different levels of investment. They are clear that there are use cases where it does not apply, however: For example, in a case where the breach of an asset would lead to catastrophic loss.

Don’t Go With Your Gut

It can be very tempting to rely on gut feeling, especially when the alternative looks as if it may require some calculation. However, there is a wealth of research, such as that by Daniel Kahneman, that showed that:

  • Almost all of us rely on gut feeling to make decisions and then rationalize them afterward.
  • Even when people are making decisions in fields in which they are world experts, those gut feelings are often wrong and a more detailed analysis yields a better solution.

No model should be relied upon prescriptively, but going through the modeling exercise when you assess your security risk should at least help you review and refine your thinking.

Applying the Model to Your Security Budget

The Gordon-Loeb model presupposes that you can generate a solid estimate of the value of your information assets, the probability of a breach and the degree to which an investment in cybersecurity solutions can reduce vulnerability.

You may find it a little tricky to make such estimates if you have never done it before. Sometimes the best option is simply to make an estimate and see what it does to the result. Iterating repeatedly through a model can clarify aspects that were not obvious before.

The Ponemon Institute study will help lend weight to some estimates you need to make, and further research of your own may turn up more methods you can use to monetize risk. Of course, there are experienced practitioners out there who can help, and it may be possible to get output from a security risk assessment that feeds easily into the model.

Understanding the research behind the model in full detail requires some understanding of business statistics. I found it easy enough to follow the model without having to understand the exact statistical underpinnings. Many companies will have people in the finance division who have backgrounds in business statistics if you want to delve deeper into these details.

Security practitioners can use the model too. Given a budget to spend on security, the model should be useful in working out the most appropriate and urgent places to apply it.

More from CISO

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

How the Talent Shortage Impacts Cybersecurity Leadership

4 min read - The lack of a skilled cybersecurity workforce stalls the effectiveness of any organization’s security program. Yes, automated tools and technologies like artificial intelligence (AI) and machine learning (ML) offer a layer of support, and bringing in a managed security service provider (MSSP) provides expertise that isn’t available in-house. But it isn’t enough, especially for the medium-sized businesses that would most benefit from an internal security team. However, the talent shortage doesn’t just impact present-day security concerns. The lack of a…

4 min read