/Rectangle%20239.png?width=13&height=13&name=Rectangle%20239.png){kind=small}
No company is taking cybersecurity as a light suggestion anymore. Businesses of all sizes* know that protecting their digital assets and operations requires having the right budget for IT and, consequently, for cybersecurity.
So, how should the cybersecurity budget be defined and managed? What different approaches and components should be considered for small, medium and large companies? Alter Solutions’ Head of Cyberdefence and country director for Canada, Nabil Diab, helps clarify these and other common doubts.
Should all companies have a budget for cybersecurity?
Well… yes and no. Ideally, yes, but in practical terms the size and turnover of the company will dictate if that should be, in fact, a priority. Nabil explains: “Very small companies should not initially have a dedicated budget for cybersecurity. They should start by thinking about assigning an appropriate budget for IT. For small companies in general, it will depend on the turnover. And for the larger companies, yes, it is essential”.
What role does a CISO play in this challenge?
A Chief Information Security Officer (CISO) is the person responsible for the overall security of a company’s assets. It is their responsibility, then, to gather the necessary budget for addressing the risk of cyber threats.
“When a company has not enough budget for cybersecurity, it is either because the CISO could not effectively explain the cybersecurity risks of a low budget to the board, or because the General Direction loves the risk and doesn’t have a problem with that”, Nabil clarifies.
It is also part of a CISO’s job to regularly review the needed cyber budget, according to a continuous risk analysis.
How CISO’s manage their budgets
Just like any other division’s budget, a CISO’s budget usually splits into three main areas: people, technologies and services. Depending on the CISO’s strategy and the company’s area of activity, some will invest more in people, while others in technology or services.
Nabil points out a curious fact about this: “Usually, the companies investing more in technology are the ones that have the lowest budget for cybersecurity, because IT tools are cheaper than cyber expertise, and they can ‘tick the boxes’ more easily to be compliant”. Here are a couple of contrasting examples:
- Administration
In the public sector, organisations invest a lot more in technology because they cannot afford to pay the right salary for the best experts. This means that they invest instead in IT products. - Banking
Banks’ operations, on the other hand, are digitally-based, which means their risk exposure is high, and consequently so is their cybersecurity budget. They already have access to the best expertise and tools, so it’s natural that a CISO will allocate a big chunk of the budget to people.
What should a cyber budget cover?
Small businesses should priositise…
…Cloud and SaaS (Software-as-a-Service) solutions, instead of using on-premises tools, since they probably won’t have the necessary skills to secure them. Plus, Nabil adds, “Cloud and SaaS solutions already incorporate a minimum level of security. The majority of small businesses today are working with Microsoft, for example, which includes Entra ID”, an identity and access management solution that comes with a predefined level of protection.
One of the key features of Entra ID, which all businesses should put in place, is Multifactor Authentication (MFA). “It is very important, and it decreases the risk of cyber threats by a lot”, Nabil guarantees.
The second priority in line for small companies is an Endpoint Detection and Response (EDR) solution, which is crucial for protecting all endpoints on a corporate network.
Large businesses, on the other hand…
… pretty much already have the full arsenal of classic cybersecurity tools, but according to Nabil, those that want to go beyond and ensure protection against the most advanced threats are focusing on two main areas:
- Innovative products
This includes Artificial Intelligence (AI)-driven solutions. An example of this is User and Entity Behaviour Analytics (UEBA), which analyses user behaviour to detect anomalies. - Product customisation
Companies will allocate budget to enhancing the configuration of existing tools, building custom connectors, developing in-house rulesets, among other measures.
Invest in-house or outsource expertise?
Once again, size, turnover and budget are key factors to consider. Small and some medium-sized companies simply cannot gather the necessary expertise to build and maintain their own Security Operations Centre (SOC), so the best value for money is always in externally hiring Managed Security Services.
“Assuming a 24/7 coverage, companies simply can’t manage a SOC with less than 1 million euros per year, in Europe. If you do, it means you don’t have the right expertise and the right people. Plus, a SOC is only a part of cybersecurity – you also need to consider all the organisational aspects, access management, architecture review, etc.”, Nabil argues.
When companies reach a certain scale, then they can consider changing strategies. “When you have a few thousand employees and the right budget, you can begin to consider a hybrid approach. This means having some in-house people that are able to manage incidents, while being helped by an external company that will bring you the missing expertise your team doesn’t have”, our Head of Cyberdefence explains.
Only large, multinational companies are usually able to run their own SOC, but they need to keep in mind that it is a very expensive and time-consuming move, since it involves a lot of expertise, management skills and logistics. “When you have a cybersecurity provider, you can ask them for a SOC and within a month everything is in place. If you do it by yourself, it will take 2, 3 or 4 years before it is up and running. So, the key is to think long-term and explain to your board the key differences between having full in-house expertise, opting for a hybrid approach or fully outsource Managed Security Services”, Nabil claims.
The million-dollar question: what percentage of the IT budget should be allocated to cybersecurity?
All companies large enough to have a cybersecurity budget (and a CISO) should have at least 10% of the IT budget allocated to this purpose. “If it’s less than 10%, it is not enough”, our Head of Cyberdefence assures. “If, on the hand, you can get to 25%, then you are definitely a good CISO that presented solid arguments to the board”.
How often should a cyber budget be reviewed?
CISOs should review the company’s risk every year and adjust the cybersecurity budget accordingly. “You have to do it every year”, Nabil advises, “because the risk is not always the same, there are new vulnerabilities, actors, and geopolitical factors too. For example, the risk of an Ukrainian company is not the same now as it was 3 years ago”.
Businesses today, especially those with a CISO, are increasingly adopting this proactive approach to cybersecurity. However, an undesirable number of companies still maintain a reactive approach: “A lot of companies still invest in reaction to cyber incidents, so they only increase their cyber budget when their operations have been compromised. This is not a good strategy”, Nabil warns.
The rising future of cybersecurity budgets
IT budgets are expected to take up more and more space in companies’ overall budgets. So, naturally, cybersecurity budgets will follow this trend and keep rising too, since risks and threats will continue to show up.
While this happens, Nabil foresees another trend of opposing force. “We may witness a few solutions being integrated into businesses, that are really interesting and could lower the budget a bit. AI solutions, for example, that could replace some of the staff”.
A good example of this is what’s happening inside SOCs. “Until roughly 3 years ago, we had three levels of SOC Analysts: L1, L2 and L3. L1 doesn’t exist anymore because we replaced them with tools that are definitely cheaper. So, maybe tomorrow the L2 will also disappear. It is not good for human resources, but it is a solution that can limit the cybersecurity budget and increase protection. I’m not saying it will fix the problem of rising cybersecurity budgets, but it is an opportunity to use more advanced tools that may help us face new threats without spending more money”, Nabil concludes.
* For the purpose of this article, we consider:
- Small companies: Under 500 employees.
- Medium-sized companies: 500 – 10.000 employees.
- Large companies: Over 10.000 employees.
Complement this reading with this previous article written by Nabil.
