Cybersecurity is still an emerging field with a lot of mixed messages and, at times, seemingly contradictory information. Odds are your 10+ year veteran IT generalist(s) supporting your organization are struggling with this as well. Besides not having access to the proper financial data to do the calculations, your IT staff are trying to articulate incomplete risk information to senior leadership in technical terms because they don’t have the data to put the risk in financial terms. So how are you supposed to budget for security when you can’t get consistent advice?
Flip the Script: Separate Cybersecurity and IT Budgeting
The key is to stop viewing cybersecurity as an IT problem. Your cybersecurity budget should have nothing to do with your IT budget - those two things are unrelated. You should be viewing cybersecurity budgets like you would an insurance policy.
Calculating Your Level of Risk
In order to set a cybersecurity budget, you need to determine your organization's level of risk. Some of the information you will need to know to properly calculate that risk include:
- Cost and total revenue per hour of operation
- What insurance do you have? Does your policy include Cybersecurity, Cyber Liability, and/or Technology Errors and Omissions?
- Does your insurance policy have stricter standards than you do and are you 100% sure you comply with them? Do you have that in writing from the insurance company? Noncompliance could invalidate your entire policy (after you file the claim thinking you were covered) if your interpretation and the insurance companies are different.
- Does your insurance policy cover you if it is found you weren’t in compliance with a legal or regulatory framework?
- How would losing your top 5 customers impact your business? If you suffer a major security breach and have to notify customers of stolen information, how likely is it that you would lose those top 5 customers?
- What laws, regulations, and certifications do you need to comply with?
- What is your full regulatory liability? For example, HIPAA penalties apply to records plus incidents, so you need to look at how many health records you have - not how many active patients you have.
- If you have independent certifications like ISO, what would losing that certification cost you? Will you lose a substantial number of customers if your ISO certification gets suspended?
- What common information do you have that might incur civil penalties? Most companies retain employee information, like social security number and date of birth, that can be used for identity theft which can make your organization liable if that HR data is compromised.
- Do you have digital relationships with other businesses? Do your employees have access to other businesses with remote login capability or direct connections between the two networks? If so, you might be found liable for damages if your digital assets were used to breach that other company.
Once you understand your liabilities, then you can determine how much you’re willing to spend to mitigate the risks. We suggest initially setting a minimum and then determining a buffer amount you’re willing to spend in the right circumstances. Once you have your budget set, then you can start determining the solutions that will mitigate the most risk for the least amount of money.
If you need help measuring your liability or determining what the most valuable security controls are, Vista can help you with discovery, assessments, CIO/CISO level consultation, and a variety of products to solve your unique problems. Just give us a call!
Questions? Contact Us Today!
