Budgeting for cybersecurity is a concern for organizations worldwide. Already this year, we've seen several prominent government and business officials push to expand the capabilities and budgets of their security teams. Even President Obama weighed in on the discussion in early February with his announcement of the Cybersecurity National Action Plan, which included an expanded budget for U.S. government computer systems and focuses on technology security.
Over the past several years, we’ve often been asked by clients how their spending on cybersecurity and capability and maturity compares with other organizations. Clients also want broad recommendations on how they can more effectively understand and budget for their cybersecurity needs without vastly increasing their spending.
With the hackers and threat actors getting more sophisticated each day, we often find ourselves telling clients that there is no magic percentage they should be spending on security. Instead, we counsel clients that they should consider the following to better determine their specific needs:
Careful consideration of how to secure your legacy business systems, what, if any, network security appliances are needed, and which lower-cost solutions can be implemented will give management a better idea of what their needs are in terms of a cybersecurity budget. Once these needs are mapped into the organization’s long-term plan, the available capital can be allocated for new development. When the budget for new projects is combined with the budget for ongoing maintenance and monitoring requirements, an organization will be able to determine its annual budget for both people and money.
It’s also critical that the cybersecurity team have seats at the table when business systems are discussed. All too often, non-IT employees see cybersecurity controls as a hindrance to their day-to-day jobs. The chief information security officer, vice president of IT, or chief information officer should be included in the decision-making process to offer the needed expertise to determine which updates, new technology, and new projects are really necessary. For organization leaders, making well-informed decisions about security requirements will give them more confidence when establishing their cybersecurity budget.
Active Director is either a registered trademark or trademark of Microsoft Corp. in the United States and/or other countries.
In accordance with applicable professional standards, some firm services may not be available to attest clients.
© 2017 Crowe Horwath LLP, an independent member of Crowe Horwath International.
As of June 1, 2016, the professionals of AbleBridge have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on Microsoft Dynamics® CRM (now Dynamics 365) sales and implementation as well as innovative add-on products.
The personnel of SDGblue have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm with a global risk consulting practice and offices around the world. This move provides SDGblue clients access to a broader range of products, services, and solutions, while expanding the Crowe cybersecurity risk management capabilities with a deeply specialized team.
Looking for the Client Login?
Access the SDGblue Client Portal
As of Oct. 30, 2017, the professionals of Rowbotham International have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on domestic and international tax and audit compliance services, as well as advisory services.