Arriving at a budget for cybersecurity activities is a challenge. The dynamic nature of the cyber risk landscape, technological changes and market conditions make budgeting for cybersecurity a daunting task. While budget categories for Small and Medium Businesses (SMBs) vary based on the nature of business, categorizing cybersecurity under one or all the following can be difficult, Office Space, Utilities (Internet connectivity, electricity, water), Payroll, Office equipment and Supplies.
Cybersecurity activities are part of the overall risk management strategy of the organization and are not limited to the IT departments. This is mainly due to IT being an integral part of all business processes in today’s organizations.
The following are indicative expense heads which could be used as a starting point. SMBs can categorize their spending on cybersecurity and get a better understanding of cost of cybersecurity.
Cybersecurity Governance, Responsibility and Accountability – development and maintenance of a cybersecurity policy is an important investment. Responsibility and accountability for cybersecurity should be vested in individuals or teams who are in-charge of decision-making processes and have oversight of the roles, responsibilities, processes, and practices within the organization.
Cybersecurity Strategy, Program and Assessments – budgets should support the implementation of formal cybersecurity strategies developed and updated over time in response to formally conducted risk, vulnerability, and business-impact assessments.
Cybersecurity Education and Training – Cybersecurity-awareness and training initiatives should be funded adequately. Knowledge of information security has become an important requirement for professionals at all levels and functions within organizations. Further, the information security risk landscape is changing rapidly, and professionals need to learn, unlearn, and relearn concepts.
Hardware and Software and professional services (include, but not limited to)
Third Party-managed Services – use of third-party cybersecurity consulting and managed services in,
Cybersecurity-related Audits (internal audits) – the goal of any cyber-related audit is to understand and evaluate an organization’s ability to identify, manage, and mitigate the risks facing the facilities, networks, information systems, and data.
Cybersecurity Insurance – understand the dollar value on the organization’s cyber risk
In summary, investments/expenses in cybersecurity is more than budgeting and buying IT during Black Friday sales. Investing in cybersecurity is about organizing your assets and arriving at an optimal arrangement (configuration) that avoids, reduces, or mitigates cyber risks.