We often hear clients and prospective clients asking “how much should I be spending on cybersecurity?” That is a very complex question and one that is not easily answered without first having an understanding of what you mean by cybersecurity. There are many different versions of cybersecurity being pushed in the market and there is no “one size fits all” solution, despite what your vendor might tell you.
The key: Spending for what is right for your organization, not simply settling on a set percentage of budget. Below are some key questions that you should ask of yourself:
Do I want to know the holes in my network, or do I just want to check the box for “testing done”?
A full 99.9% of companies offering cybersecurity services today are using automated vulnerability scanning tools and calling it a “penetration test.” This approach is just fine if you simply need to check a box that you’ve done some testing. The problem with this approach is that the people performing the “test” are usually only mildly more qualified than you are to do this testing. Why would you pay someone thousands of dollars to press the start button on some software that you could buy yourself? This leads to what we call “good enough” cybersecurity.
On the flip side, there are a few companies that go the extra mile to make sure that your system is addressed in the same way in which sophisticated attackers would interact with it. These companies are going to find the vulnerabilities that are specific to your network configuration and give you a realistic view of where your vulnerabilities are located. They’ll boast of advanced degrees in computer science or related systems and spare you the listing of certifications that anyone could get with a two-week training course.
The latter is going to be more expensive, but you’ll actually be getting what you’re paying for—unless, of course, you’re looking to simply check the box.
Now that I’ve done testing, what am I doing to continuously monitor my network security?
This is a huge area with a new “product” hitting the market about every 10 minutes. Let me warn you here…. technology is NOT always the answer. While there are some very good products in the market, human beings that are familiar with your network are still needed to put context to the alerts.
This is one of the biggest problems we’re seeing lately. Companies are installing the fancy new product, subsequently getting millions of alerts a day, and having no clue what to do with them. What is the point of having these great new devices if you come to the point of ignoring them from being overwhelmed? If your budget allows, look for a provider who can take the logs that you are already generating and put them in a form that has context and is applicable to your specific network environment.
While there is generally strength in numbers, I’d also warn you to beware of the gigantic products. There is also strength in diversity, especially in the security monitoring space. There is a new article out almost weekly about how this or that software is going to end security threats. Well, guess which products attackers are going to be studying if a large percentage of companies are using that defense? You guessed it, the one they can most readily gain access by finding ways to bypass it.
To summarize, if you have a sizable security team with good qualifications, you are probably right to go with a technology approach to monitoring. If your IT team is already strapped for time on daily activities before they even look at security monitoring, you are probably best to bring in a service that does that for you on a constant basis.
So when considering what to spend on cybersecurity, it all comes down to what you need. So keep that top of mind. Also remember that you have to be vigilant to make sure you are actually getting what you think you are getting, as there is always a vendor waiting to sell you anything under the sun. And, if a majority of your business is done through network connected devices and applications, it also makes sense to put a priority on protecting those things.
If you absolutely must judge your security spending by a percentage, I’d say that somewhere in the range of 20-25% of your IT budget is a good start.