There’s an awkward question that nobody wants to answer in the cybersecurity profession. If you avoid this question, non-security professionals will answer it for you. You owe it to the organization to face this question directly and give a thoughtful answer.
The question is simple: What cybersecurity cost should your organization pay?
However, the answer is more complicated. Some organizations, such as large banks, are comfortable paying vast sums annually for cybersecurity protection. JP Morgan Chase, one of the largest banks in the world, spends over $500 million per year on cybersecurity, which includes 3,000 security employees. According to Jamie Dimon, chairman and CEO of JPMorgan Chase, cybersecurity “may very well be the biggest threat to the U.S. financial system.” If you operate in the financial industry, you need to allocate a significant budget to keep up.
Now, you might be thinking that your company isn’t a high-profile bank. You might not face thousands of attacks every day. Does that mean you can spend a small amount on security and rest easy? The answer is, maybe. To find out for sure, you need to take a step back and consider what factors drive cybersecurity cost.
Why Are Cybersecurity Costs Increasing?
Compared to a decade or two ago, the amount of resources companies spend on cybersecurity has skyrocketed. Why? A few factors drive the answer.
Increased Security Risk Due to Cloud/SaaS Usage
As more companies use SaaS and cloud services, there are more places to attack. A single weak point can open the door.
Increased Rewards for Successful Hacks
A single successful hacking attempt that obtains credit card information can be quite lucrative. One estimate found that a stolen credit card is worth about $30. Other corporate data assets may attract a higher price.
Increased Costs for Cybersecurity Talent
Keeping up with changing technology and threats is stressful! Every company is grinding over the same small pool of security talent, which drives up the cost of cybersecurity attacks.
Increased Spending on Cybersecurity Attacks
According to the U.S. government report, the main nation-states that sponsor cyberattacks are Russia, China, Iran, and North Korea. With the resources of a government, cybersecurity attacks will only become more difficult to detect and prevent.
Increased Government Regulatory Pressure
Governments around the world are increasing the pressure on companies to improve their cybersecurity defense. For example, the U.S. government announced increased cybersecurity requirements for contractors seeking to do business with the government.
Given these growing risks, increasing your cybersecurity cost every year may be the right move. At a certain point, your organization’s senior management will say no to increasing spending further on security. If you see a good reason for further expansion, you need to measure value for money and make a case for an increase by showing the value of cybersecurity.
How to Measure Cybersecurity Value for Money
To put your cybersecurity cost in the right light, here are some of the ways you demonstrate its value.
Protect Brand Reputation
Would you trust a company that suffers from constant data breaches? A robust cybersecurity program contributes to trust and confidence in your company. For example, your company spends $10 million per year on marketing and sponsorships to raise your company’s profile. That marketing spend’s effectiveness may be severely undermined if you suffer a security incident.
Cost Avoidance: Incident Response
When your organization suffers a security event, you need to act swiftly to limit the damage to employees, customers, and assets. Unfortunately, hiring specialists to work around the clock to recover from an incident is expensive.
Cost Avoidance: Fines and Lawsuits
Suffering a cybersecurity failure can lead to lawsuits and fines. For example, British Airways has been fined over $100 million in 2019 for a data breach. If it spent half that amount on improved cybersecurity, it might’ve avoided the fine.
Cost Avoidance: Fraud (Internal and External)
Poor cybersecurity practices make fraud losses more likely to happen. For example, if employees develop bad habits such as sharing passwords, then fraud and unauthorized data loss are more likely to occur. Reducing fraud loss is one way that cybersecurity delivers value.
Support Revenue: Increase Your Sales for Enterprise Customers
Large companies such as Fortune 500 firms have worked hard to build an excellent reputation. Thus, they don’t want to take chances with their vendors. If you’re serious about landing such corporations as customers, showing you have a robust cybersecurity program may help you close the deal.
Use These Ways to Optimize Your Cybersecurity Cost
Despite your best efforts, your cybersecurity budget doesn’t always increase. What are some ways you can stretch your budget further to protect the organization? We have three suggestions.
1. Reduce the Impact of Security Events with Access Management
If a determined hacker targets your organization, you may not be able to stop it completely. However, you can use access management to slow the hacker down and prevent him or her from touching your digital crown jewels. To pursue this approach, look into our access governance solution.
2. Make the Help Desk More Productive
Instead of simply asking your employees to work harder at the same pay, direct your staff to work on more productive tasks. Use Apollo, Avatier’s AI agent, to handle repetitive IT security administration tasks such as user access changes and password reset requests. This will give your IT staff more capacity to proactively detect and prevent security threats.
3. Improve Employee Security Awareness and Skills
Your company probably has at least a few security experts who know dozens of ways to detect and stop security threats. Ask them to create training for your employees so that everyone can benefit from their knowledge. As a starting point, we recommend offering employee password training.
