Paul A. Watters – Ionize
and Simon Brown
It’s a question that is asked time and time again, and it may well be the most important commercial question in relation to cybersecurity investment: how much should I be spending on cybersecurity? As with the answer to most questions, this needs to be broken down into a number of sub-questions, some of which are easier to answer than others. Rather than offering a simple answer to a complex problem, we analyse the question as follows:
- Should you follow a fixed percentage guideline of revenue? Or profit? It depends on whether you are trying to protect profits or revenue. As always, we would advocate a risk-based approach – if cyber threats affect your revenue, eg, by denying service to your customers, then calculate a budget as a percentage of revenue. On the other hands, if you have stable revenue but variable costs that reduce profits, eg, by having to pay ransoms, then calculate as a percentage of profit.
- Is your financial management approach traditional or modern? Is this dictated by business practices, eg, an agile, high growth business, or by a regulator, eg, banks and financial services companies?
- Are some risks worth spending a fixed cost against to prevent cyber incidents, eg, endpoint protections, or should investment be weighted towards response which may have variable costs, eg, third party incident response?
- Is it worth investing anything at all if the potential consequences are low or negligible? Or to put another way, do you know what your “crown jewels” are, versus systems, networks and data that are peripheral and not worth protecting?
- Is it worth investing anything at all if the potential consequences are low or negligible? Or to put another way, do you know what your “crown jewels” are, versus systems, networks and data that are peripheral and not worth protecting? o $10m for critical infrastructure o $14m for financial services o $8m for government entities o $16m for industrials The difference between the smallest entities and the largest was considerable, ranging between $2m and $65m. As a percentage of overall IT budgets, the average was 7.5%. Internationally, Prosegur[2] report an average 10%, suggesting that Australian entities are still underinvesting in cybersecurity.
- What percentage of revenue should be spent on ICT, will then determine the percentage spent on cybersecurity. Computer Economics published data in 2019 across 25 industry sectors, but the summary (as a percentage of revenue) was as follows, using the 25th, 50th and 75th percentiles: o Manufacturing: 1.4, 2.3, 3.2% o Financial Services: 4.4, 7.9, 11.4% o High Tech: 2.6, 3.65, 4.7% o Retail: 1.2, 2.1, 3.0% o Health Care: 3.0, 4.45, 5.9% The average across all sectors at the 50th percentile was 2.5% of revenue. So in the Australian context, cybersecurity budgets should be roughly 2.5% of 7.5% of revenue. For a $100m company, this suggests a budget of only $187,500. Given that the average salary for even a single cyber analyst in Melbourne is $128,778 (with 35% on-costs, this rises to $173,850), it seems obvious that adopting an average of averages approach would not even begin to address the resourcing needed for an internal cyber team. If you really want to break down cybersecurity costs further, Cynet have developed a very detailed budget template which is freely available[3]. Does this mean that Australian entities are likely underinvesting in cybersecurity on average? We believe that this simple exercise indicates that this may be the case. However, it’s also important to note that not all companies – even with $100m revenue – may need full-time cybersecurity staff. Using a Managed Security Service Provider (MSSP), for example, may be one way to access a broad range of services on an “as needed” basis, which could prove cost effective. RSI[4] suggest that an MSSP budgets per user range from US$99-250 per month, or A$141-357. As an average, this conveniently works out at $A249 per month, or $2,988 per annum. Taking our budget of $187,500, the implies that something on the order of 62.75 could be supported by an MSSP. Multiplying out the ABS data on SMEs (50 employees or $25m revenue), a $100m company may employ something on the order of 200 people[5]. So while the average case of 62.75 employees on the highest package seems expensive, in fact, the cheapest case is quite close: $141 per month would cover 98.99 employees. Can we then conclude that Australian business should be doubling their cybersecurity spend, even using the cheapest case? It’s hard to draw such a broad conclusion from some simple numerical modelling. Yet it is also true that some Australian entities are repeatedly attacked, while others seem to be better able to defend and prevent. This is almost certainly a function of overall investment, but also investment in the right categories. Further research is required to fully prove the case for cybersecurity investment to protect both revenue and profits. It’s important to note that Boards an executives must manage a number of competing demands when devising budgets, and not just cyber budgets – every dollar spent on cybersecurity controls may be perceived as reducing profits and shareholder returns. In the current market, Boards may be willing to tolerate higher levels of cyber risk, to maximise profits. At the end of the day, a good CISO will be able to amplify and clarify which elements of cybersecurity spend will have the greatest impact within a given context.
Additional Resources
CISO Lens Benchmark: https://www.cisolens.com/benchmark
Prosegur Cyber Budget Report: https://cipher.com/blog/three-approaches-to-setting-cyber-security-budgets/
Cynet Cyber Budget Template: https://go.cynet.com/the-ultimate-security-budget-template
RSI MSSP Budgeting: https://blog.rsisecurity.com/how-much-does-managed-security-services-cost/#:~:text=When%20looking%20for%20a%20managed,dollars%20per%20user%20per%20month.
[1] https://www.cisolens.com/benchmark
[2] https://cipher.com/blog/three-approaches-to-setting-cyber-security-budgets/
[3] https://go.cynet.com/the-ultimate-security-budget-template
[4] https://blog.rsisecurity.com/how-much-does-managed-security-services-cost/#:~:text=When%20looking%20for%20a%20managed,dollars%20per%20user%20per%20month.
[5] https://www.aph.gov.au/About_Parliament/Parliamentary_Departments/Parliamentary_Library/pubs/rp/rp1819/SmallBusinessSector