Budgeting for Cybersecurity: Are You Doing It Right?

As a chief information security officer, one of the biggest challenges I faced was in measuring the value of our organization’s cybersecurity investment. Fortunately, tools and methodologies to translate cybersecurity more specifically into costs and benefits are now available, so CISOs can be more detailed than ever before in measuring the effectiveness of risk mitigation.

By attaching real numbers to cybersecurity—this is how much a breach will cost us, this is how much we can reduce risk by making this specific investment—CISOs can work with the C-suite to make more informed decisions.

Cybersecurity risk mitigation is more critical than ever. With most companies embracing digital transformation, the impact of a breach can be crippling, in terms of money lost, damage to brand reputation and partner/customer goodwill. At the same time, the threat landscape is increasingly sophisticated, better funded and more coordinated. 

For CISOs and cybersecurity teams in your organization, every action and investment should be made with the goal of mitigating risk. There are two critical steps your teams should take:

  • Step one is a complete and thorough cybersecurity risk assessment. As I’ve previously noted, not doing a risk assessment is the greatest risk. Part of the assessment is to measure the organization’s cybersecurity state across a wide range of variables that adhere to industry-standard best practices. I often use the ISO 27001 Security Framework, which covers 14 different domains, each of which has a direct impact on risk. These include security policies, compliance, asset management, operations security, supplier relationships and other key factors. The important point for business leaders to understand is in using ISO 27001 or another standard as a baseline, your teams can measure where the organization stands and can identify areas needing improvement and additional investment. Other suitable frameworks include the National Institute of Standards Cybersecurity Framework and COBIT 5 For Information Security—as long as the framework is understandable and measurable for the board.
  • The second step, once you’ve completed your assessment, is to develop and implement a strategy and roadmap for risk mitigation. The overall strategy should tie into the business goals, i.e., understanding the costs of a potential breach and how much risk the organization is willing to tolerate, identifying the “crown jewels,” etc. In building the roadmap, the CISO and security teams should refer to the underlying framework, such as ISO 27001, NIST or COBIT 5, to identify important risk sectors that must be addressed. These can be factors such as lack of visibility, lack of control, overcomplexity, lack of personnel resources and others. 

Then, you have to connect the dots in tying the risk mitigation roadmap into actual benefits. On the one hand, it is fairly simple to look at the direct costs of cybersecurity in terms of investment in technologies, operations and personnel. On the other hand, the step that continues to be elusive for CISOs, is to specifically measure the financial impact of that investment in terms of risk mitigation. 

That’s where CISOs can be creative in using tools and technologies at their disposal, in addition to leveraging their relationships with leading cybersecurity vendors to help guide and inform their roadmaps. 

Starting with ISO 27001 or other industry standard framework, CISOs can create a “holistic security umbrella” that measures where, when and how changes in policies, investments, personnel, etc., can deliver improvements. Then the organization can look at the costs involved in making those changes and create specific targets and timing for risk mitigation initiatives.

The harder part has been to translate these investments into actual, measurable financial impacts of risk mitigation. One of the methods I’ve found to be effective in measuring risk mitigation is to leverage accepted industry research and best practices.

Breaking Down the Numbers

One tool I recommend is the Cost of a Data Breach Report conducted by Ponemon Institute on behalf of IBM. This easily accessible public report provides a wealth of critical information that CISOs can use to measure the financial impact of their risk mitigation investments. 

In the 2019 Cost of a Data Breach Report, the average total cost of a data breach was $3.92 million and the average cost per lost record was $150. The report provides extremely useful granular information, such as:

  • Organizations undergoing a major cloud migration during the time of the breach saw a cost increase of $300,000; 
  • System complexity increased the cost of a breach by $290,000;
  • Encryption reduced breach costs by an average of $360,000; 
  • Business continuity management in the aftermath of a breach reduced the total cost by an average of $280,000.
  • Conducting extensive testing of an incidence response plan could reduce the cost of a breach by an average of $1.23 million.
  • Organizations that had not deployed automation experienced breach costs that were 95% higher than breaches at organizations with fully deployed organization.
  • These are just some of the relevant measurements contained in the report. By extrapolating the costs in this research and relating it to investments, CISOs can provide business decision-makers with a clearer picture of the value that risk mitigation is bringing to the organization. 

To take one example from above: If the cybersecurity risk assessment shows that encryption is a weakness, the organization could invest $200,000 in encryption to reduce risk by $360,000 per year. Or it could invest X amount in extensive IR testing to reduce risk by an average of $1.23 million per year, depending on the size of the company, the region and the industry. 

The Ponemon report offers breakdowns by region and industry, so it makes it easier for CISOs to tailor the research to their specific organizations. And because it is numbers driven, CISOs can create visual presentations and conduct conversations in the language of business, i.e., total costs and return on investment. 

By using simple, widely accepted methodologies and research, such as the ISO 27001 Security Framework, NIST, COBIT 5 and the Ponemon Cost of a Data Breach Report, CISOs can paint a much clearer picture of what the business is actually paying for and achieving in cybersecurity investment. For all the decision-makers in the room, you shouldn’t have to settle for anything less. 

Fred Streefland is chief security officer for North and Eastern Europe at Palo Alto Networks.