CIOs are trapped between a rock and a hard place on cyber security.
On the one hand, you have CEOs shroud-waving after headlines about hacks and data breaches (maybe they read this article about NotPetya. Or this one about Capita).
On the other, you may have your CFOs asking you to cut all costs by 20-30%.
And of course, the CISO is telling you to increase security budgets because 1) the threat environment is continually developing; 2) AI is escalating things further; and 3) Governments around the world (including the UK) are passing legislation to tighten up information security and data privacy – which will almost certainly add extra compliance regulations (and therefore cost).
The squeeze doesn’t even stop there; you may have an embedded security infrastructure within legacy systems that you need to be seen to get your money’s worth from.
So how secure are you? How secure is your supply chain?
And how much is it all costing you?
If you think you know the answers, how do you know?
Costs for cyber security seem to come at you from everywhere, all at once: technology, usage, compliance, security governance and audits, training staff on security awareness (the largest source of security breaches is still humans clicking things they shouldn’t!).
What we’ve seen over recent years is that organisations will purchase security tools and solutions to fix specific threats and problems, and they’ll be layered over each other. Complexity always adds cost and it’s not always immediately obvious what that is. It can therefore be very difficult to quantify what the true cost of cyber security is, as you’ll need to consider not just the cost of the tool but also the hidden costs:
- Impact on processing power (typically 8-13%)
- Network and networking costs
- Impacts on user experience
- And how do you accurately apportion people spend?
The good news is that technology is coming through that has the potential to help, but only if you understand where your baseline is – so you can take advantage of operational opportunities.
You need to be able to dig into your costs to determine your next steps. Fully understanding your cyber spend is a worthwhile investment so you know your baseline and can assess what spend is needed to build a balanced security environment that considers pain of an incident vs cost.
So, what’s a sensible spend on Cyber security?
We include information security as part of our comprehensive benchmarking services, and the range in spends that we see is breathtaking: anything between 3.5% to 18.4% as a proportion of total IT budget spent. The variations are due largely to industry differences, and whether “Operational Technology (OT)” as well as the traditional IT is included. But what’s clear is that there are also some differences in the way organisations attribute costs. In some, cyber is a hot topic, and spending in the area is encouraged. In others, they may be hiding some of the cost of security to get funding for projects.
We would therefore encourage you to perform a benchmark as soon as possible and include absolutely everything in it. Only then will you have full sight of cost vs benefit and know whether you’re spending too much, or not enough on cyber security. To find out more about ImprovIT’s benchmarking and cost transparency services, take a look around our website. We can give you access to our knowledge gained from over 1700 analyses across the private and public sectors – and global territories. Our IT transparency services allow you to create “consumer views” that detail the IT cost-to-serve for each business function as well as identify areas where IT costs can be optimised and streamlined.
Contact us today for an informal chat about how we could support your cyber security budgeting and strategy.