This year, we can expect presidential campaign promotion to slowly kick into gear. Early next year, advertising will pick up, and by summer there will be so much media hype that we will be colossally sick of it long before the actual November 8 election. Then, in 2017, all will be silent. Why? Because, for obvious reasons, spending on presidential campaigns runs on a four-year cycle. Information security and disaster recovery budgets run on cycles too, but IT professional may be surprised at how budget cuts and other factors drive them.\nWhereas the monthly budget for presidential campaigns builds up exponentially until the event itself and then declines afterward, information security and disaster recovery budgets peak after major events such as the recent Sony hack and ISIS-sympathizers hacking U.S. military social media accounts. For a while, companies pour funding into the affected areas \u2026 in fact, I owe my career to the Loma Prieta earthquake in 1989 and the effect it had on my then-employer.\nBut memories are short and budgets are tight, and \u2013 as long as some new catastrophe doesn\u2019t hit the headlines \u2013 someone (not in IT) will say, \u201cWhy are we spending all this money? This has no ROI for the business! Cut, cut, cut!\u201d Funding plummets until the cycle begins again.\nIT people know better. And they are worried about this tendency to cycle budgeting in these critical areas. That, I believe, is why the results of a recent survey of IT professionals, commissioned by Sungard Availability Services*, were so clear. When asked what should be last to receive budget cuts, 51% said that security planning programs should be the last thing to receive budget cuts. Close on the heels of that answer, 42% said that disaster recovery testing should be last in line for budget cuts.\nYou see, IT people know the facts. For instance, they know that, in 2014, the average organizational cost of a data breach was just over $5.85M \u2013 15% higher than in 2013. They also know that companies spend an average of $686,000 per hour when experiencing downtime. ROI? The ROI for information security and disaster recovery testing is huge. It just happens to be measured in terms of what you don\u2019t lose and what you don\u2019t spend.\nWhen it comes to information security and disaster recovery spending, there are three flavors of company. The first flavor is not required to adhere to any rules and regulations, for example, those dictated by the Payment Card Industry (PCI) compliance standards. So they don\u2019t. Budgeting is easy, because they don\u2019t spend any money in these areas.\nThe second flavor of company is required to abide by certain rules and regulations. So they do. Just enough. They\u2019re in compliance, and that\u2019s good, but don\u2019t suggest going above and beyond the minimum, thank you very much.\nThe third flavor of company insists upon taking an active approach toward information security and disaster recovery, regardless of the headlines and regardless of any rules and regulations that apply to them. They spend a fair chunk of change on these programs in fair weather and in foul.\nHere\u2019s the kicker: if there is an adverse event in the news, flavors one and two get hysterical because they realize that they are not fully protected. There\u2019s a flurry of spending for a while, then the cycle continues and spending drops off again to pre-headline norms. Companies of flavor three can pretty much ignore the news. They\u2019re covered, and they know it.\nAnd what about if an adverse event isn\u2019t in the news \u2026 it\u2019s on the doorstep? Well, flavor three companies have a good chance of bidding it adieu and getting on with their day. And if it does manage to get \u201cinto the house,\u201d they can minimize the damage and the length of stay.\nCompanies one and two? Well, that depends on where they are in their budgeting cycle. If they\u2019re at low ebb on spending, then it\u2019s possible that a company hack or disaster will show them the true ROI of information security and disaster recovery.\nThe bottom line is this: it\u2019s time to break out of the information security and disaster recovery budgeting cycle - and provide continuous protection (and ROI) for your company.\n*The survey, conducted by SurveyMonkey Audience, reached 276 IT professionals and was completed in December 2014.\nThis article was previously posted on Forbes and Sungard Availability Services.