Cybersecurity budgeting is a hot topic today. The data breach headlines make it abundantly clear that robust cybersecurity is vital for every organization — but leadership teams cannot simply issue a blank check with the memo line “Improve cybersecurity!” Instead, they need to establish an effective cybersecurity budget.
This article can help. It explores the factors that impact cybersecurity costs and how much of a broader IT budget organizations are currently allocating to cybersecurity, provides guidance on how to justify budget requests, and lays out key trends to consider for longer term planning.
How much does cybersecurity cost organizations?
The cost of cybersecurity for an organization can vary dramatically. Key components of a cybersecurity budget include the following:
- Software — The most obvious line items in your cybersecurity budget are software solutions. These typically include antivirus applications, firewalls, auditing and change management tools, and backup and recovery solutions. Indeed, large enterprises now have an average of 76 different security tools.
- Personnel — However, the single biggest cybersecurity cost is actually personnel, accounting for a whopping 38% of the overall security budget. Skilled cybersecurity talent has been in high demand for years, and trends like the surge in IT retirement have only compounded the problem. But it’s important to understand the complex relationship between software and personnel. Too many organizations hire expensive cybersecurity talent and then assign them repetitive tasks. But if you invest in the right automated solutions, you can free up your limited IT team to focus on more strategic issues. Moreover, this strategy can, in turn, actually improve job satisfaction and talent retention.
- Services — Organizations often engage third-party cybersecurity services for specific tasks like vulnerability assessments and penetration testing, as well as for ongoing managed security services.
- Hardware — Most organizations still have an on-premises footprint, so they need to allocate cybersecurity budget to keeping their servers, router and other IT infrastructure up to date. In addition, they need to plan for workstations, laptops and other hardware investments.
- Training programs — Regular training on cybersecurity awareness, best practices and emerging threats is crucial for all users. Ideally, training should be tailored to specific audiences. Be sure to cover all employees, including management teams, as well as consultants and anyone else with access to the network. Consider performing regular testing of the effectiveness of the training, such as by sending phishing-like emails and checking who reports them and who falls victim to them.
- Compliance costs — Organizations that are subject to regulatory mandates, such as HIPAA, GDPR or PCI-DSS, will likely have compliance-related costs, from reporting and audit preparation to hiring a Data Protection Officer (DPO).
- Incident response — The goal of a cybersecurity budget, of course, is to avoid data breaches and other incidents. But organizations need to be prepared for the possibility of successful cyberattacks. Costs can include forensic investigations, legal costs, compliance penalties, and public relations efforts and compensation measures like identity theft monitoring.
- Cybersecurity insurance — Many organizations purchase cybersecurity insurance to mitigate the financial impact of a data breach. As explained below, be sure to consider whether this money might be better spent on cybersecurity controls instead.
- Contingencies and unexpected costs — Some organizations include some cushion for unexpected expenses in their cybersecurity budget. For example, serious vulnerabilities are regularly discovered, and some require significant effort to mitigate. For example, a vulnerability in Log4j was discovered that enables malicious actors to run almost any code they want on vulnerable systems. An open-source software library, Log4j is widely used by vendors like Microsoft, Apple, Cloudflare and many more. As a result, organizations are still working to identify vulnerable systems, test and install patches and other mitigation measures, and check whether those fixes were implemented correctly.
How much of an IT budget should go to cybersecurity?
On average, organizations allocate 11.6 percent of their IT budget to cybersecurity. However, about a third say it’s less than 6 percent. Part of the problem with getting reliable numbers is that different organizations have different criteria for what’s part of the “cybersecurity budget” and what isn’t. For example, purchasing a laptop for a new employee would traditionally come out of the regular IT budget. But that machine needs to be provisioned with a variety of security-related software, such as antivirus and monitoring tools, that is not included with the operating system. So, it’s no surprise that different organizations might have different ways of categorizing the budget for a line item like “new laptops.”
While there is no one-size-fits-all answer to the question of how much of your IT budget to devote to cybersecurity, here are some of the key factors that can influence the percentage:
- Organization size and complexity — In general, total IT and cybersecurity costs increase with the size and complexity of the organization. But smaller companies may allocate a larger percentage of their IT budget to cybersecurity because they recognize that their limited IT staffing might make them more vulnerable.
- Sector — Security allocation within IT budgets varies significantly based on sector: Tech, consumer goods and services allocate more than 15 percent, while organizations in sectors such as legal, manufacturing, healthcare and retail devote less than 10 percent.
- Compliance requirements — While some compliance mandates, such as HIPPA and FERPA, are sector-dependent, others apply more broadly, so it’s worth calling out this factor separately. For example, PCI-DSS applies to any organization that accepts credit card payments, and modern data privacy regulations like the GDPR apply across both industries and nations. Accordingly, nearly every organization needs to include compliance in its cybersecurity budget.
- Security maturity — Organizations with mature security programs may be able to devote less of their budget to cybersecurity compared to those just getting started. This might help explain why healthcare organizations are on the lower end of budget percentage despite being in a highly regulated sector; those regulations have been in place for a long time.
- Risk profile — Organizations that are more attractive targets for cyberattacks may need to allocate a higher percentage of their budget to cybersecurity. Examples include organizations that have a lot of valuable personal data (like Equifax and Twitter), are key elements of a supply chain (like Solar Winds), or deliver essential services (like Colonial Pipeline).
- Technology footprint — The size and nature of the IT ecosystem greatly affects an organization’s cybersecurity strategy. In particular, cybersecurity budget will look different depending on what on-prem systems and cloud resources you are using.
- Use of third-party vendors: Especially in a server and data storage capacity, organizations often hire third-party vendors to manage IT tasks. When doing so, companies must ensure that vendors have adequate security measures in place. Outsourcing and due diligence take time and resources, which can increase costs. For instance, within cybersecurity alone, measures like vendor risk assessments will be required.
- Previous security incidents — Organizations that have suffered one (or more) data breaches in the past are likely to invest more of their IT budget in cybersecurity. The types of attack experienced can factor into the specific line items; for example, an organization that fell victim to a phishing attacks might focus on measures like employee training and email filtering software.
How to justify a cybersecurity budget
Justifying a cybersecurity budget to stakeholders can be challenging. Indeed, a staggering 36% of CEOs and CISOs say their board of directors will pay attention to cybersecurity threats only after a breach or other incident has happened. If you’re looking to justify cybersecurity budget, you already know it’s essential to get out of that reactionary mode. So, what can you do?
The key is to focus on one core message: Cybersecurity risk is business risk.
Research shows that among organizations where the board treats cybersecurity as a business risk, there is greater proclivity toward proactive investment, concern with technical risks and approval of cybersecurity budget.
Here are some effective strategies to bring that message home.
Quantify the cost of inaction.
When risks are unknown or unquantified, it is very difficult to convince people to act — particularly those holding the budget purse strings. To build the foundation of your case, start with the fact that the global average cost of a data breach was US$4.45 million in 2023, a 15 percent increase over three years.
Leadership teams at smaller organizations might say this statistic isn’t relevant, so keep this one handy: The average impact of a data breach on organizations with fewer than 500 employees is $3.31 million.
To illustrate why breaches are so financially devastating, start with the cost of downtime. Point out that 40 percent of enterprises say that a single hour of downtime costs $1 million to over $5 million, and in a worst-case scenario, losses can reach millions of dollars per minute.
Then move on to these additional possible direct and indirect costs:
- Loss of intellectual property and other business-critical information
- Expenses for remediation and forensics, possibly including expensive outside expertise
- Ransomware extortion payments
- Regulatory and compliance fines — be sure to look up the penalties for the specific mandates your organization is subject to
- Legal and public relations fees
- Expenses for notification, credit monitoring and identity theft mitigation for affected parties
- Damage to company credibility, brand and reputation
- Customer churn
- Increase in insurance premium or even loss of eligibility for a policy
Explain why cybersecurity insurance is no substitute for cyber resilience.
Some leadership teams may want to make cyber risk insurance the center of the organization’s cybersecurity budget. While holding a cyber risk policy does transfer a chunk of the financial risk associated with a breach or other incident, you have powerful arguments for why it is in no way a panacea that should displace other cybersecurity budget line items.
Start by illustrating the decreasing value of investing in cyber risk insurance with these facts:
- Policy rates are skyrocketing. Not long ago, cyber risk insurance policies were often arguably underpriced because so many companies wanted to establish themselves in the market. But with cyberattacks increasing in both frequency and sophistication in recent years, many of those providers ended up having to pay out on huge claims, and they are raising rates to compensate. One study found that direct premiums increased by 50 percent in 2022, while another article pegged the increase at 80 percent. Some organizations report paying as much as US$1M a year for their policy.
- Having insurance can increase your risk of being attacked. One study found that organizations with cyber insurance were more likely to be hit by ransomware than those without — and 70 percent more likely to be attacked multiple times.
- Cyber risk insurance often has significant exclusions. With any insurance policy, the fine print matters a great deal. Cyber risk insurance policies often have a bevy of exclusions, and their application is currently being debated in the courts. Some of the most common exclusions include the following:
- Prior acts clauses absolve the insurer from paying claims for activity that occurred before the policy was issued. Since malicious activity often goes undetected for months or even years, this is a crucial exclusion to keep in mind.
- Failure to maintain standards exclusions enable the insurer to deny paying a claim if an incident was caused by the organization’s failure to ensure required controls remained in place.
- Acts of war clauses exclude losses resulting from state-sponsored cybersecurity attacks. This clause has led to lawsuits and out-of-court settlements that leave core questions about the scope of this exclusion unclear at best. But Lloyd’s of London, for one, now requires all standalone cyberattack policies to include a clause excluding liability for losses arising from a state-backed cyberattack or war, declared or not.
- Limitation on compliance penalties can leave the insured company on the hook for steep fines and other costs, even if the policy covers other aspects of the damage from an incident.
Then, offer a more cost-effective approach. Note that many insurers now require organizations to have specific types of security controls in place in order to qualify for a cyber risk insurance policy or reduce its cost — and explain the core reason: Having solid cybersecurity controls in place reduces the risk of suffering a breach in the first place and helps reduce the damage of incidents that do occur. Point out how those required controls map onto the line items in your cybersecurity budget.
Now you’re ready to present the logical conclusion: Instead of spending a big chunk of the cybersecurity budget on expensive insurance with tons of exclusions, reallocate that money to preventing incidents and quickly recovering from attacks. Those investments might well be required anyway to qualify for a policy, and by implementing a comprehensive strategy, you might well obviate the need to purchase insurance at all.
Present your organization’s current risk and a strategy to mitigate it.
Providing visibility into business risks is a powerful way to drive a sense of urgency about mitigating them, which can spur leadership teams to approve cybersecurity budget. Accordingly, dig into your current risk posture as best you can. Look for tools that increase visibility into your risk, such as misconfigured settings, excessive access rights and threat activity. In addition, if your organization is subject to any regulations or industry standards, highlight any ways in which you are unable to meet applicable requirements and prove compliance.
One especially clear and quantifiable measure is the number of attack paths in your Active Directory that adversaries could abuse to gain total control of your domain. With a quick and free AD risk assessment, organizations often uncover thousands or even millions of attack paths and details about how to shut them down.
Pair your risk assessment with a detailed plan that shows how your cybersecurity budget will mitigate those risks. As noted earlier, be sure to explain how reducing IT risks translates directly into reducing business risk. For example, describe how the investments you propose can prevent financial losses by slashing the chances of data breaches and ransomware infections, as well as reducing the incident response costs detailed earlier. Quantify these savings whenever possible.
This approach provides management with compelling evidence for funding your cybersecurity budget. Indeed, research shows organizations with better business risk management efficacy prioritize cybersecurity budget higher than organizations with lower efficacy. Simply put, provide visibility and action is highly likely to follow.
Tell stories, and tailor them to your various audiences.
As you present the case for your cybersecurity budget, remember that humans respond well to both numbers and stories. So, along with hard figures, share real-world examples of organizations that suffered security breaches due to inadequate cybersecurity investments and do your best to quantify the damage that they suffered. Whenever possible, adapt your narratives to your current audience, choosing stories that will resonate with their experience, such as the roles they’ve held during their career or the sectors they’ve worked in.
On the flip side, also look for stories that illustrate how investing in cybersecurity has provided an organization with a competitive edge or other business benefit. For example, both customers and partners tend to prefer to do business with a company that demonstrates a commitment to security. Indeed, risk assessments or specific security controls can even be mandated in contracts, so it’s worth exploring whether achieving certain cybersecurity milestones would provide your organization with wider business opportunities.
Identify your most critical assets to focus your strategy.
Your cybersecurity budget should prioritize protection of your organization’s highest value assets, which are known as Tier 0. These assets include critical servers and privileged accounts. Because they provide access to critical data and are stepping stones to control of the IT ecosystem, Tier 0 assets are top targets of threat actors.
In an Active Directory environment, Tier 0 assets include domain controllers (DCs), which store crucial identity information and provide the vital authentication and authorization services necessary for business processes to run. In fact, often 90 percent or more of business processes are dependent on Active Directory and Entra ID (formerly Azure AD). Tier 0 also includes all accounts that have administrative control over the environment, such as members of highly privileged groups like Domain Admins and Enterprise Admins. Keep in mind that this includes not just user accounts assigned to human beings, but also service accounts and computer accounts.
Importantly, Tier 0 also includes all accounts that could gain elevated privileges. Note that the open-source tool BloodHound will clearly lay out the exact steps an adversary needs to take to move from ordinary user to highly privileged admin, using a combination of concealed permissions, nested group membership and inherent security gaps in AD architecture. Therefore, it’s vital to proactively identify those attack paths, mitigate them promptly and monitor any that you have not yet addressed.
CISOs say that their top security concern is the growth in digital channels for engagement with customers and partners, so focusing on the protection of the identities of customers, partners and employees will likely resonate with the priorities of your leadership team. Reducing the risk of credential compromise helps prevent attackers from gaining a foothold in the organization and moving laterally to compromise your Tier 1 assets.
Expand your thinking from cybersecurity to cyber resilience.
Instead of focusing narrowly on cybersecurity, broaden your thinking to cyber resilience. After all, your core goal isn’t merely to avoid cybersecurity incidents. Rather, it’s to keep the IT systems — and therefore the business — up and running as much as possible and get it back up and running quickly when a disruption does occur. And disruptions are not caused only by deliberate attacks; they can also result from non-malicious events like errors by IT admins, power outages and equipment failures.
Accordingly, a truly effective cybersecurity budget should cover all four pillars of cyber resilience:
- Anticipate — Plan for as many types of adversity as possible, including cyberattacks, natural disasters, structural failures like power outages, stresses like unexpectedly high loads on systems, mistakes by overworked administrators, and malicious activity by employees or contractors.
- Withstand — Take steps to ensure that essential functions can continue in the face of adversity. This requires identifying those essential functions, along with all supporting processes, systems, services and infrastructure. Then take steps to minimize the risk of those functions being disrupted by the types of adversity you identified.
- Recover — Ensure you can restore essential functions during and after adversity.
- Adapt — Your business needs, your IT ecosystem and the cyber threat landscape are constantly changing, so be sure to regularly assess your inventory of critical business functions and their supporting capabilities, as well as your mitigation, response and restoration strategies.
Enable fast Active Directory recovery.
The third pillar of cyber resilience merits further discussion. Often, backup and recovery strategy is limited to thinking about data, like email content, databases and documents. And it’s certainly important to be able to restore this data if it’s deleted or corrupted, whether by accident or as part of a deliberate attack. But notice that the Recover pillar focuses on restoring “functions” rather than “data.” That’s because even if you restore all your databases and email messages and spreadsheets, they are of exactly no use if Active Directory isn’t up and running to provide access to them.
Active Directory is both a database and a set of vital services, so simple data backup and recovery won’t bring it back to life after a disaster. Rather, Active Directory disaster recovery is all about getting your domain controllers working again so they can deliver essential services such as authentication and authorization. Simply put, without at least one operational DC, your on-premises or hybrid Microsoft ecosystem cannot function.
Recovery of DCs requires meticulous coordination of numerous steps across multiple phases: preparing for the process, actually performing the restore, syncing the DC with its replication partners and making it available again, and more. That’s complicated enough if the disaster has taken down all the DCs in one AD domain; if your entire Active Directory forest is affected, the recovery process is even lengthier and more complex. And remember, every second that Active Directory is down, your business is down.
That’s why it’s vital to invest in a dedicated Active Directory backup and recovery solution. With the right solution, you can dramatically AD downtime — and therefore business downtime and financial losses. Reports of real-life experiences include one organization that slashed AD restoration time from 6 days with manual processes just 1 hour and 15 minutes, and another that switched AD recovery tools and reduced AD recovery time from 1–2 days to just 1–4 hours — yielding $19.7M in potential savings over three years from faster recovery from ransomware attacks. These numbers will surely resonate with the C-suite as they review your cybersecurity budget.
How much will cybersecurity spend be in 2023?
Finally, let’s explore the outlook for cybersecurity budgets and key trends that will likely affect it in the coming years. According to one study, at nine out of ten organizations, cybersecurity budgets increased from 2022 to 2023 and are expected to increase from 2023 to 2024. The increase from 2022 to 2023 was 11 percent, and a further average increase of 19 percent is forecast for the 2023 to 2024 budget cycle. Not surprisingly, most CEOs and CISOs say they could put more budget to productive and effective use — from twice as much budget to three to five times more.
However, another report finds that cybersecurity spending increases are starting to taper off in response to factors like global instability and inflationary pressures. It notes that many CISOs even said that their approved 2023 budgets were being cut as part of overall budget tightening. Among the organizations that did increase their cybersecurity budgets, 80 percent indicated that the budget increase was driven a security incident, major industry disruption or other extreme circumstances — reflecting the tendency toward reactionary thinking discussed above.
Other key trends related to cybersecurity spending include the following:
- Ransomware — Ransomware attacks continue to skyrocket, nearly doubling in frequency from 2022 to 2023. As a result, organizations will need to include effective ransomware detection, prevention and recovery solutions in their cybersecurity budgets.
- Cloud security — As organizations migrate more data and workloads to the cloud, spending on cloud security solutions will rise.
- IoT security — Similarly, as organizations adopt IoT devices, they will need to allocate cybersecurity budget to understanding and mitigating their vulnerabilities and monitoring activity around them.
- Artificial intelligence (AI) and machine learning (ML) — These rapidly advancing technologies are being actively exploited by adversaries, who can now launch effective attacks with less technical skills than ever before, so organizations need to adjust their cybersecurity strategy to mitigate risk. At the same time, AI and ML are also enabling improvements in threat detection and response solutions, which IT teams will be including in their cybersecurity budget requests.
- Regulatory changes — New data protection and data privacy regulations are being enacted at all levels of government, and existing mandates are being revised with stricter requirements and steeper penalties. Organizations will be adjusting their cybersecurity budgets to help ensure compliance.
- Zero Trust security model — Organizations worldwide are adopting a Zero Trust approach to cybersecurity. This security model holds that no user or service should be trusted implicitly and that organizations must actively look for suspicious activity. Zero Trust goes hand in hand with a cyber resiliency mindset, since implementing a Zero Trust model can be the difference between suffering a limited hack with insignificant damage or a major incident that brings vital business processes to a screeching halt.
Developing a solid cybersecurity budget and getting it approved is not a simple process. To help ensure success, be sure to get hard data about your current IT risk posture and articulate clearly how those IT risks translate directly into business risks. Focus your cybersecurity budget where it will have the most impact: on your Tier 0 assets, especially Active Directory and Entra ID, since they manage your identities and control access to your vital systems and data. Finally, broaden your thinking from cybersecurity to cyber resilience, and make effective Active Directory disaster recovery a core part of your cybersecurity budget.