How Much Security is Enough?

Establishing a Cybersecurity Risk Versus Cost Model.

May 20, 2019 • Published by

When the City of Atlanta, Georgia had a ransomware attack on their systems in 2018, it cost them upwards of $2.7 million to recover, and well over two months to regain full capabilities. More recently, in May 2019, the City of Baltimore, Maryland encountered a similar event which again crippled systems, resulting in mounting costs for recovery and an ever-growing timeline to regain full capabilities within their systems. These are just a couple of examples of the staggering costs and disruption that can occur as the result of an infection or breach within your systems.

While your company may not be as sizable as the city governments of Baltimore or Atlanta, losses from a cybersecurity infection or breach can have an impact on any company or organization of any size for years afterward.

Every diligent company or organization understands cybersecurity is needed, but often doesn’t know how to budget for the appropriate protection. It’s not always a clear-cut number, but there is a way to develop a return on investment (ROI) or return on expense (ROE) equation that you can share with your budgeting team and C-level executives who are looking to you for answers.

Start with Measurements

Establishing a cybersecurity risk versus cost model is the first thing you should do. This will help identify what your organization’s risk is. For instance, if you operate in a high-target industry, your business systems store valuable data, or your employees are prone to engage with phishing attacks, then you have a higher identified risk.

Next, look at what your cost would be if an event does occur. Questions to ask include what the financial impact would be to your organization for any downtime or outage that did occur. Then consider what the cost of recovery and any penalties would be. This could include recovery labor costs, lost revenue costs, customer loss and regulatory fines.

Based on this cybersecurity risk versus cost data, you can set up your risk tolerance.  Your risk tolerance should be a financial number that surmises how much you can tolerate in financial impact per year before having a significant impact to the business. In other words, what’s the maximum you can spend each year on security before it has a significant negative impact to your bottom line?  This needs to be documented so that everyone is in agreement that this is your financial risk tolerance number, which will be key for budgeting.

Set a Budget

Based on the financial risk tolerance number identified, the next step should be to budget for things like software, hardware, training, staffing, and other areas where the money will need to go. From there you prioritize the spend, accounting for necessities like threat detection, prevention and user training. Something as basic as spending money upfront to educate your users (employees, contractors, etc.) on phishing and security awareness can have a big impact, since over 90% of the breaches that occur start with social engineering.

Another important area that should be prioritized is penetration testing. This should be, at minimum, a yearly white-hat hacker deep dive into identifying and correcting any holes and vulnerabilities. On a more regular basis, internal and external vulnerability scanning should also be part of your proposed spend so any new holes are quickly detected before they become an issue.

Endpoint detection and log monitoring should be considered along with identifying what your incident response plan looks like. Your budget should cover the tools you need to be able to detect and respond to a threat in your network.

Finally, in budgeting, staffing is a component that can’t be overlooked. Look at the cost to hire skilled security personnel in your area. This is one instance where cheaper isn’t better, because lower-cost hires won’t give you the same level or expertise or the critical thinking needed to drive security.  Building that security skillset into your current staff could be a workable alternative, but keep in mind that expanding an existing employee’s role to include cybersecurity is often overwhelming.  Yes, it can save money in the short term, but to truly protect an organization, cybersecurity needs to be in the hands of a full-time specialist.

Protect Your Investments

Everything you’ve identified and documented above now needs to be protected. The tools and hardware, staffing, services—and your risk—must all be regularly reassessed, since security is constantly evolving. Tools should be regularly updated, patched and monitored for end of life. Your staff should be offered ongoing training, and a recurring performance review of any third-party service providers should be routinely conducted.

No organization stays stagnant, so risk analysis isn’t a one-time thing. Your organization’s risk changes over time and should be reviewed on a recurring basis. Treat cybersecurity as a business function and remember that it won’t be permanently solved with a few purchases of hardware and software. In doing so, you’ll be positioned to be more effective and mature in your risk management efforts.

If your organization is struggling with a shortage of security-related manpower and expertise, ControlScan can help. Check out this helpful webinar, in which I share additional detail on the cybersecurity risk versus cost model, as well as the business benefits of leveraging an MSSP for real-time threat detection and response.