We often hear clients and prospective clients asking \u201chow much should I be spending on cybersecurity?\u201d That is a very complex question and one that is not easily answered without first having an understanding of what you mean by cybersecurity. There are many different versions of cybersecurity being pushed in the market and there is no "one size fits all" solution, despite what your vendor might tell you.\nThe key: Spending for what is right for your organization, not simply settling on a set percentage of budget. Below are some key questions that you should ask of yourself:\nDo I want to know the holes in my network, or do I just want to check the box for \u201ctesting done\u201d?\nA full 99.9% of companies offering cybersecurity services today are using automated vulnerability scanning tools and calling it a \u201cpenetration test.\u201d This approach is just fine if you simply need to check a box that you\u2019ve done some testing. The problem with this approach is that the people performing the \u201ctest\u201d are usually only mildly more qualified than you are to do this testing. Why would you pay someone thousands of dollars to press the start button on some software that you could buy yourself? This leads to what we call \u201cgood enough\u201d cybersecurity.\nOn the flip side, there are a few companies that go the extra mile to make sure that your system is addressed in the same way in which sophisticated attackers would interact with it. These companies are going to find the vulnerabilities that are specific to your network configuration and give you a realistic view of where your vulnerabilities are located. They\u2019ll boast of advanced degrees in computer science or related systems and spare you the listing of certifications that anyone could get with a two-week training course.\nThe latter is going to be more expensive, but you\u2019ll actually be getting what you\u2019re paying for\u2014unless, of course, you\u2019re looking to simply check the box.\nNow that I\u2019ve done testing, what am I doing to continuously monitor my network security?\nThis is a huge area with a new \u201cproduct\u201d hitting the market about every 10 minutes. Let me warn you here\u2026. technology is NOT always the answer. While there are some very good products in the market, human beings that are familiar with your network are still needed to put context to the alerts.\nThis is one of the biggest problems we\u2019re seeing lately. Companies are installing the fancy new product, subsequently getting millions of alerts a day, and having no clue what to do with them. What is the point of having these great new devices if you come to the point of ignoring them from being overwhelmed? If your budget allows, look for a provider who can take the logs that you are already generating and put them in a form that has context and is applicable to your specific network environment.\nWhile there is generally strength in numbers, I\u2019d also warn you to beware of the gigantic products. There is also strength in diversity, especially in the security monitoring space. There is a new article out almost weekly about how this or that software is going to end security threats. Well, guess which products attackers are going to be studying if a large percentage of companies are using that defense? You guessed it, the one they can most readily gain access by finding ways to bypass it.\nTo summarize, if you have a sizable security team with good qualifications, you are probably right to go with a technology approach to monitoring. If your IT team is already strapped for time on daily activities before they even look at security monitoring, you are probably best to bring in a service that does that for you on a constant basis.\nSo when considering what to spend on cybersecurity, it all comes down to what you need. So keep that top of mind. Also remember that you have to be vigilant to make sure you are actually getting what you think you are getting, as there is always a vendor waiting to sell you anything under the sun. And, if a majority of your business is done through network connected devices and applications, it also makes sense to put a priority on protecting those things.\nIf you absolutely must judge your security spending by a percentage, I\u2019d say that somewhere in the range of 20-25% of your IT budget is a good start.