Investing in Cyber Security, What's the Magic Number?

These days the internet is a very different experience.

Most businesses, organisations and countries are now fully connected, and are embracing the World Wide Web to create the kind of opportunities that never existed a decade ago.

Yet the move to a fully connected landscape comes with risks. We hear about national security concerns all too often. Staying connected has increased our vulnerability to attack from rogue actors – making the investment in cyber security even more important.

Over the last few months, one of the most common questions I’ve heard asked is:

What's the right amount to spend on cyber security? 

Speaking with colleagues and clients, there’s unequivocal consensus that protecting client, employee and company assets is essential. In fact, according to recent global research by Accenture, 90 percent of executives agree that safeguarding client data is a top priority. 

But agreement on how much to spend on cyber security raises a point of contention.

And the short answer is, there is no right answer.

You see, it depends on the organisation, the size of the cyber attack surface, the value it places on what it’s trying to protect, and the potential impact as a result of systems being compromised. And business priorities and appetite towards risk can vary greatly.

A bank seeking to protect client information from a criminal syndicate will have different requirements compared to a government agency needing to protect its classified information.

Different security needs will drive investment differently.

I’ve seen various figures suggested for cyber security spending.

Some arbitrarily suggest that "up to ten percent" of an organisation's ICT budget should be allocated to cyber security. Others say that cyber security spending should be set as a percentage of an organisation's capital or operational expenditure, or both.

I'd hesitate to take such an approach, because there’s no one-size-fits all to cyber security. Subsequently, there’s no magic number which can be applied universally.

Capture the strategic picture first

So how can we do this to get the investment number more right than wrong?

Well, there's a logical approach.

It starts with performing a top-down assessment of the organisation to understand the current cyber security posture, with a view of getting to a cyber security target state.

Here, the NIST framework is extremely useful and can guide cyber security specialists to review organisational practices against the current threat landscape. This will help identify where investment can generate the most benefits. An assessment should look at:

1. The ability to identify cyber security risks,
2. The capacity to protect the organisation with appropriate cyber security safeguards,
3. The scope to detect cyber security events and understand what they mean,
4. The speed to respond and contain the impact of a detected event, and
5. The resilience to recover and restore any capabilities that could be impaired.

Assessing the strength of these functions will allow an organisation to understand the current cyber security state, identify the "crown jewels" and prioritise gaps for improvement.

Translate gaps into investment needs

The key is to understand in financial terms, how specific cyber security initiatives will reduce risk across the gaps and produce a quantifiable benefit. 

Let's take a hypothetical example.

Imagine that a cyber security assessment reveals that only 80 percent of a government agency’s servers are protected. The unprotected servers contain sensitive information, and an attempted cyber attack by a foreign entity is considered “likely”. If a cyber security incident was to occur, it could have a “major” impact and this represents a "high" risk.

Fortunately, there's a way to address this risk and justify the ask.

For instance: by spending X to purchase new software, the government agency could protect 100 percent of its servers. This would lower the cyber security risk from "high" to "medium" and reduce the likelihood of a successful attack. Over 12-18 months his would also generate downstream savings of X as a result of fewer breaches and recovery activities.

See the clear linkage between problem, initiative, investment and benefit?

The idea is to therefore review the gaps, identify clear and measurable initiatives, calculate the costs and prioritise investments according to organisational need.

Final thoughts and takeaways

Few organisations have an unlimited cyber security budget. So if only some initiatives can be funded, at least the cyber security risk and opportunity cost can be clearly understood. Remaining initiatives can be built into the organisation's long-term cyber security strategy.

Nevertheless, by identifying the “crown jewels”, prioritising investment and enhancing security across the functions that need it, an organisation can balance risk with its budget.

And using this approach you're more likely to find the right investment number, not a random magic number, that hopefully won't break the bank.

Adam Misiewicz is an experienced cyber security consultant and the General Manager of Cyber Security at Vectiq - a Canberra-based services company.