Creating a cybersecurity budget? Here’s what to think about

Posted by Craig McDonald on 19 March 2019 11:27:45 AEDT

Do you go on holidays without buying travel insurance? I sure don’t. When I’m in Champagne's exotic vineyards or tasting fine wine somewhere during my Taste Champagne adventures, I want to be sure that my trip isn’t ruined with a big hospital bill. 

Your cybersecurity budget is a similar spend - to stop nasty surprises from ruining your business or souring your year.  

Cybersecurity sits squarely on the defensive strategies side of the business budget. And while boosting your cybersecurity budget probably isn’t going to gain your company anything in terms of customers, outreach, or revenue, it can help to stop you from losing: financially, operationally, and with your reputation. The importance of having an effective cybersecurity budget is, in fact, being reiterated in the news everyday. Just a few days ago, President Donald Trump announced that he was asking for an additional USD9.6 billion to bolster cybersecurity in his 2020 budget.  

With 60% of CISOs believing their cybersecurity budget is underfunded according to ICASA’s State of Cybersecurity 2019 report, it’s important to give careful consideration to this critical business function. 

As with most things, there’s no one-size-fits-all solution, especially when it comes to financial advice. Every organisation has a different set of needs and resources, and those things are fundamental when allocating a business budget. Many SMBs, specifically, are in a particularly precarious position because they have limited resources to spend.  

Saying that however, there are a few standard FAQs business owners like myself often consider when thinking about creating a cybersecurity budget. Here’s my take on some of them: 

How do you decide how much of your budget to assign to security every year? 

 When you’re balancing other operational issues, investing for growth and trying to please shareholders with a healthy bottom line, cybersecurity can seem like a business area that just gets swept to the side, anecessary evil, like insurance, with a similar budget allocated year-on-year. 

But is this a derivative approach? 

In ASG’s Research Insights Paper: Cybersecurity Realities and Priorities for 2018 and Beyond, over 80% of respondents indicated that cybersecurity becomes a complex and more difficult task each year. 

This sounds like it would indicate that allocating a greater proportion of your budget to cybersecurity each year might be wise to protect your company against cyberattacks.  

Indeed, The Cybersecurity Imperative report from ESI Thought Lab in 2018 said that, “to cope with rising risks, companies upped their cybersecurity investment by 7% over the last year and plan a 13% boost next year. 

I’d say think about whether your cybersecurity budget necessarily needs to increase year-on-year. Or, instead, does it need to be assessed against current and future goals and risks to determine a dollar value for spend, just like in any other area of business?  

I’ve said before that when you align your organisation with clear governance, strategy, frameworks, and repeatable processes, it makes cybersecurity more easily manageable. Does your company have a CISO yet?  

Having a proper cybersecurity framework is key when allocating the number of resources and determining your budget. For instance, ask yourself, should spending on cybersecurity be initiated by the IT department or at senior management level?  

The ESI Thought Lab report also indicates that only “4 out of 10 businesses have HR departments with budgets for recruiting and developing staff in cybersecurity and an equal number have executives who focus solely on cybersecurity.” 

Putting these in place first and honing year-on-year is more important than just throwing money at software solutions. 

If your overarching strategy is not already strong, consider a larger cybersecurity budget this year totackle this issue. 

Remember to not just focus on the technological solutions and the technical investments required to boost your cyber defence systems. This budget should also include cybersecurity funds for the education of team members. For example, in training staff on how to spot phishing emails.  

When you have a budget, how do you assign it to the different security challenges?  

We can identify cybersecurity budget areas in a number of ways. For instance, one way to view cybersecurity is from the activities in each of: Identify, Detect, Protect, Respond, and Recover (as perNIST). According to the ESI Thought Lab report above, the greatest spend allocation goes to Protect, with Recover coming in last place. 

It also goes on to say, that in 2019, companies will “allocate 39% of their cybersecurity budget to technology, 31% to process, and 30% to people.” 

Technology, processes, and people are all equally as important when facing cybersecurity challenges and aligning all three will ensure money well spent. 

It’s best to identify your specific needs before you make a decision on where to focus the majority of your budget.  For example, your business may be suffering from an influx of phishing emails recently and you may be concerned about your email security. In this case, one of your primary needs would be to invest in another layer of protection to combat email threats. For example, using a third-party cloud email solution like MailGuard to complement Office 365. 

In addition, you may also want to boost your cyber defence capabilities by providing phishing awareness training to your employees so that they’re better equipped to spot the difference between a spoof email and a legitimate one. 
The crux of the point is that preventing phishing attacks would be one of your priorities and form a key constituent in your cybersecurity budget. This doesn’t imply that other areas of cybersecurity aren’t important, but these areas will be given preference in terms of how many resources to allocate. Remember that once you’ve got them under control, you can always go back and address other areaslater on 

How do you prioritise cybersecurity technology solutions? 

Like there are a million different ways you could slice up your budget overall, there are a million different cybersecurity technologies you could invest in to beef up security. You may even want to think about building a multi-layered tech stack. 
In CISCO’s CISO Benchmark Report 2019, 37% of organisations have more than 10 security manufacturer/brands covering their cybersecurity solutions, with 3% having more than 50.  

Personally, I’ve heard those figures before. At Microsoft’s Inspire conference last year, a presentation from their EU team claimed that the average CISO is overseeing 48-60 solutions, and some claimed to have as many as 120 security vendors engaged.  

Multi-tasking challenges aside, how do you decide which solutions are could, should, or must haves? 

Again, it’s seeing where incidents occur. Of the CISCO report mentioned, when posing the question, “Which security incidents/attack types have you encountered in the past year?”, two of the top three responses were email-based attacks - Malicious Spam and Phishing, making email security the #1 threat vector.  

If your business is also suffering from malicious spam, for instance, but you’ve invested big money into aadvanced security analytics platform you may find your cyber defences lacking in other key areas. Plus, you probably won’t be utilising all of the platform’s features anyways - weakening the case for spending so much money on fixing a problem that isn’t affecting you too much in the first place. In such a case, it would probably make sense to downgrade your security analytics and channel that money into a cloud email security provider. 

Remember, investing in the most advanced and up-to-date cybersecurity solutions doesn’t necessarily guarantee overall improved security — it’s all about whether those solutions are best fit to address the vulnerabilities present in your overarching cybersecurity strategy.  

As business owners, we’re accustomed to being part of the budget allocation process for the different departments in our companies. The technical nature of cybersecurity, and the plethora of security solutions in the market shouldn’t deter us from being active participants in the cybersecurity budget discussion and treating it as any other business decision.  

Talk to your stellar security teams to identify the gaps and weaknesses of your existing cybersecurity strategy and then determine the thought process and purpose behind the budget you come up with. This will increase confidence that your resources are being used as efficiently as possible.  

Get the facts

Companies are spending more on cybersecurity now than ever before, but those funds aren't always targeting the most significant dangers. There seems to be a bit of a disconnect amongst many CEOs about the sources of cyber-threat.

Studies consistently show that more than 90% of cyber-attacks are perpetrated via email, yet email security is rarely the biggest item in cybersecurity budgets.  If we’re going to win the battle against cybercrime we have to get real about the nature of the threat.

I’m on a mission to help business people understand cybercrime and protect their businesses from costly attacks. If you would like to learn more about the complex cybersecurity challenges facing business today, please download my e-book Surviving the Rise of Cybercrime. It’s a plain English, non-technical guide, explaining the most common threats and providing essential advice on managing risk.


You can download my e-book for free, here.

“Cybercrime is a serious and growing business risk. Building an effective cybersecurity culture within an organisation requires directors and executives to lead by example. Surviving the Rise of Cybercrime is a must-read for directors and executives across business and in government and provides strong foundations for leaders determined to address cyber risk.” - Rob Sloan, Cybersecurity Research Director, Wall Street Journal. 

... ... ...

Hi, I’m Craig McDonald; MailGuard CEO and cybersecurity author.
Follow me on social media to keep up with the latest developments in cybersecurity and Blockchain; I'm active on LinkedIn and Twitter. 
I’d really value your input and comments so please join the conversation.


Topics: email fraud leadership Craig McDonald Business security social engineering risk management cybersecurity advice cybersecurity culture

Back to Blog


    Something Powerful

    Tell The Reader More

    The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.


    • Bullets are great
    • For spelling out benefits and
    • Turning visitors into leads.

    Recent Posts

    Posts by Topic

    see all