There has been a lot of discussion among chief information security officers (CISOs) about the “right number” to invest in cybersecurity. It’s a hot button topic with few signs of waning. Unfortunately, there is no hard and fast rule for this type of investment due to various factors. If only it were as simple as a percentage, dollar amount or range. Let’s take a closer look at why it’s hard to find a “magic number” for cybersecurity investment.
To begin with, current spending is difficult to quantify for most organizations. The majority of cybersecurity spending is typically buried in other IT budgets and often spread across separate cost centers in many organizations. Ultimately, this makes the money hard to track. Furthermore, percentages vary with large organizations spending less than 5 percent of the IT budget on security while smaller organizations may spend as much as 25 percent of the IT budget on securing data. Because spending is so frequently buried in other budgets, the ability to compare percentages or amounts among peers difficult to calculate as well.
One approach to the question of how much to invest is to identify and quantify the risks to an organization for a breach or outage. Clearly, if critical intellectual property or customer data is compromised, there is a measurable business impact which can at least be estimated. This is a good way to frame the discussion and to prepare a business case for investment in cybersecurity.
This provides a number, but it’s still not the real “right number.” So how do we get to the “right number” to invest in the first place? How would an increase (or decrease) of 10 percent affect the security of an organization? Perhaps a better approach would be to stop focusing on the economics of the defender and start thinking about the economics of the attacker.
Here’s an example. Suppose I live in a $100,000 house. Should I use a percentage of the value of the house to decide how much to spend on a door lock? What would be the right amount? Would it be one percent ($1000)? If someone else lives in a $500,000 house, should they spend five times as much? Probably not. Perhaps the calculation should include the neighborhood they live in and the likelihood of a break-in. That’s why you might see more expensive locks in cheaper neighborhoods.
Going further, if all my neighbors purchase $25 locks, do I need to purchase a $1000 lock? Probably not. All things being equal, I would probably be safe with a $50 lock because my objective is to get the attacker to move to an easier target. That’s the point of cybersecurity investment.
If the goal of an organization is to mitigate attacks, then it’s the economics of the attacker, not the defender, that matter. An organization only needs to spend enough to make an attacker decide it’s not worthwhile to attack and move on to an easier target.
So how do we do that?
To start, we need to consider what would make an attacker decide to move on as opposed to continue attacking. The calculation is based on the cost/benefit ratio of the attacker. If you are defending a database of 10,000 customer credit cards and card numbers go for $5 each on the black market for a total value of $50,000, then an attacker won’t risk even $1,000 trying to get it. There simply isn’t a good enough return on investment, especially if firewalls and software appears up to date, and there is no guarantee of success. The attacker can’t afford to go out and purchase dedicated Wi-Fi sniffing hardware or bribe insiders to try to get in. They will move on to easier targets.
Therefore, it’s important to have people in a defensive organization who have been educated in the techniques and tools of attackers. Their knowledge, combined with an understanding of the value of the data to the attacker, can help to determine what type of attackers are most likely to attack, what their goals are, and most importantly, how persistent they will be. Organizations can then make informed investment decisions on the other components of cybersecurity, such as hardware and software products.
First and foremost, Global Knowledge recommends training people as the initial investment in cybersecurity because they can then inform the “right number” for investment in technology and process. To learn more about how to take steps toward this investment, take a moment to view our complete cybersecurity portfolio.