When you think about cybersecurity vulnerabilities, you might think about the clever tactics malicious actors come up with, or the challenges your own team has practicing appropriate digital hygiene.
But there's one danger you might not consider when imagining cybersecurity vulnerabilities. What if a real threat to your security is in the suboptimal allocation of an inherently insufficient cybersecurity budget?
Getting real about cybersecurity budgets
Let's start by considering what a cybersecurity budget is. In theory, a cybersecurity budget is a rational allotment of financial resources towards cybersecurity based on an organization's identified cybersecurity requirements.
But in practice, the average cybersecurity budget is often an arbitrary allotment of financial resources based on a combination of last year's budget, a random percentage of IT spend, and an executive team's agreement on perceived financial risk in the event of a breach.
It may sound cynical, but it also makes some sense. After all, every other business function needs money, too — so cybersecurity needs must be balanced accordingly.
In a perfect world, where you operated on a requirements-driven cybersecurity budget, your organization would have double its current budget and be able to spend it in ways that would make the organization incrementally safer.
But this is far from a perfect world. Resources are limited, and the first thing to understand about suboptimal budget allocation is that you're starting the game already trailing the opposing team.
The truth? Most cybersecurity budgets are inherently inadequate.
The cyber security budget allocation challenge
So, your cybersecurity budget is starting off short. Given this context, let's frame the average cybersecurity budget and the allocation challenge it presents.
Budget allocation of spending on cybersecurity isn't about making your organization 100% impervious to a cyberattack. You can't possibly do that. Instead, the goal of budget allocation is to minimize your organization's exposure to the adverse financial/operational consequences of a cyberattack.
What you need to do is structure your annual cybersecurity budget as a percentage of revenue in a way that minimizes the following:
- The likelihood that a threat actor will get into your environment
- The amount of time a threat actor who does get into your environment can remain active and undetected before they're neutralized
- The actual financial/operational harm a threat actor can cause during whatever time they remain active
The right way to frame the allocation challenge is this: it's consequence-reduction-within-real-world-resource-constraints. Sure, it's a mouthful. But your organization didn't give you budget to stop breaches. It gave you budget to protect it from financial harms. The two are closely related, but they are not the same.
One example: if you spend too much money trying to prevent every conceivable cybersecurity breach, known and unknown, you could easily make your organization even more vulnerable to harm. Why? Because you won't invest enough in the detection-and-response capabilities you need in the inevitable event that a user accidentally lets a threat actor in by doing something careless — like clicking on a phishing email.
Budget allocation, optimized to minimize the probability and potential magnitude of harms, is the order of the day.
MDR: The smart way to maximize budget allocation
So, what can you do to optimize allocation of your limited budget? Here are three suggestions:
- Rigorously focus on harm reduction. Re-evaluate your investment priorities considering the real impact on your business. Remember that the tendency to over-emphasize perimeter/endpoint security is a holdover from the days before cloud, remote work, and distributed teams changed the security game.
- Don't just think incrementally. Incremental adjustments to your budget aren't going to do the trick. The disparity between your funding and your mission has simply become too great — and will only grow. It is worth the effort to completely re-think your approach to budget allocation.
- Leverage Managed Detection and Response (MDR) to radically restructure cybersecurity spend. Cybersecurity budgets are typically split into three silos: headcount, technologies, and services. But an MDR solution can simultaneously reduce headcount requirements, cut technology costs, and provide cost-efficient access to expert services. MDR uniquely de-silos budgets — and empowers you to stretch your budget further.
The importance of addressing suboptimal budget allocation to cybersecurity cannot be overstated. Hone your technical skills. And, yes, carefully evaluate vendors' competing offerings. But whatever you do, don't forget to prioritize addressing your suboptimal cybersecurity budget allocation challenge this year. It's the biggest cybersecurity favor you can do for yourself — and the many people and teams who depend on you.
To learn more about the economics of cybersecurity, check out the Secureworks whitepaper “The New Economics of Cybersecurity and 4 Best Practices to Protect Your Business,” or visit www.secureworks.com.