Evaluating cybersecurity needs and justifying spend

Cyberattacks are expensive, but it’s even more expensive to repair the damage they cause. Financial institutions often lose money due to data breaches and phishing attacks, but the costliest loss isn’t monetary – it’s reputational damage that leads to customer distrust. This begs the question, “Is your bank budgeting enough for cybersecurity?”

Cybersecurity budgets come in many sizes, but to properly support cybersecurity resources, the allocations to IT and cybersecurity must be separate.

CIO’s 2019 State of the CIO survey asked IT executives from around the world to estimate what percentage of their institution’s IT budget was focused on security. The average response was 15 percent. When asked what initiatives will be most significant in driving IT investments at their organization in the future, 40 percent of respondents cited the need to increase cybersecurity protections.

Clearly, as more focus shifts to cybersecurity, it is important to reflect cybersecurity strategy in your budgeting process. However, cybersecurity is also inherently transversal, meaning it requires partnerships between the C-suite, IT, compliance and other departments.

Security should not be viewed as its own function, but rather as a part of your overall business strategy. By separating your IT and cybersecurity budgets, more funds can be dedicated to cybersecurity initiatives and projects, rather than having to share resources across many initiatives.

Enhancing cybersecurity within IT

If separating the budget is not possible, creating a separate line item for cybersecurity in the IT budget can ensure appropriate focus on cybersecurity initiatives.

With global losses from cyberattacks expected to reach $6 trillion in 2021, it is essential that IT leaders and C-level executives agree on an effective incidence response program. In Ponemon Institute’s “Managing the Risk of Post-breach or ‘Resident’ Attacks” survey, more than half of respondents expect their IT security budget to increase by 20 percent and that threat detection will receive the greatest in allocation.

Information security officers and C-level executives must work closely to weave security into your institution’s culture and processes to implement effective budgets. To facilitate communication between the C-suite and IT, consider reviewing the following questions with all parties in the room:

  • How well do we understand our risk profile?
  • Have we quantified out cyber risk exposure?
  • Is the security budget in line with our institution’s risk appetite?
  • Do we have an accurate understanding of risks and capabilities to assess where cybersecurity investment will be most effective?
  • What capabilities are we looking for and what solutions can be effectively deployed and managed by our staff?

Answering these questions will offer a holistic view of what your organization is facing.

Justifying the budget to executives

With a business-minded C-suite and a technical-minded IT team, reallocating funds is often a challenging conversation to have. IT must work with senior management to optimize the cybersecurity budget and maintain a framework that improves cybersecurity posture while meeting examiner expectations.

As banking evolves into a digital-first world, cybersecurity attacks remain high. VMWare’s Carbon Black group reported that cybercriminals increasingly targeted the financial services sector during the early part of 2020, and Ponemon Institute suggests that the average cost of such a data breach globally is just over $3 million. Statistics like these can quantify the importance of cybersecurity to C-suite executives.

The cybersecurity landscape shifts constantly from year to year. As legacy systems become more outdated and operations continue to move to the cloud, budget decisions should reflect these transformations. If new technology and compliance systems prove to be more effective and efficient than previous options, altering your cybersecurity budget could save money in the long run.

There has been a shift toward a more proactive cybersecurity budget allocation – one in which institutions take on the mindset of a hacker and use this knowledge to build strong defenses. Increasingly, institutions will enlist the help of a third-party service provider to help them prove they are doing the right things at the right time to keep themselves secure.

One constant factor in any institution’s cybersecurity is change – change from new policies, business processes or technologies. The cybersecurity landscape is constantly evolving, and your institution should be evolving with it. A solid cybersecurity strategy specific to your institution can increase efficiency, decrease breach response time and ensure top leadership and IT executives are aligned on budget allocations.

Steve Soukup is chief executive officer at DefenseStorm.