Figure 1: (Image: Funtap via Adobe Stock)

Figures run the gamut as to how much organizations are spending on security. For example, at the end of last year (and pre-COVID-19), Gartner reported average spending on cybersecurity was 5% to 8% of overall technology budgets. Meanwhile, a more recent CIO survey of 683 IT executives worldwide places that statistic at 15%, on average, though 23% of the execs indicated they were spending 20% or more of their IT budgets on security.

So how much is enough? And what's the best way to evaluate whether you are allocating the right amount of money and resources toward security and risk mitigation?

"Is there a magic dollar amount every team should spend? No, but there is definitely a number that isn't acceptable, and that is zero," says Aaron Zander, head of IT at HackerOne.

Hack Yourself Secure
Of course, one effective way to at least identify holes and find places for improvement and investment is to test yourself.

Oliver Tavakoli, CTO at Vectra, suggests challenging your organization with pen testing and evaluating results as a way to measure whether security spend is where it should be.

"You know you're not secure enough when at least 50% of the time you cannot root-cause security incidents," he explains. "You know you're not secure enough when roughly the same attack succeeds multiple times."

Good, quantifiable threat behavior data, such as data available through frameworks like MITRE ATT&CK, can serve as a foundation for how prepared a company is against common ways attackers operate, says Chris Kennedy, CISO at AttackIQ.

"The MITRE ATT&CK framework enables organizations to see the attacker kill chain and, with a bit of analysis, show where companies stand against specific attacks," he says. "The security leader can analyze the way known attackers operate and emulate that attacker to validate the security investments in place are working as expected and are therefore actually worth the investment."  

Follow a Framework
Speaking of frameworks, MITRE ATT&CK is just one of many frameworks security leaders can turn to in an attempt to place some kind of formula to budget decisions. A security framework can serve as a guide and offer a foundation for measurement.

Mark Orlando, co-founder and CEO of security firm Bionic, advises CISOs to devise a maturity framework specific to their organizations and then measure security's progress within it. This helps to keep spending objective and ensure that budget line items are prioritized according to risk, business need, and industry or regulatory changes. What's more, budget planning according to the framework should not be done in a vacuum, he says.

"CISOs should engage with peers in their industry or market vertical, review public reporting on shifting threat and regulatory landscapes, and refer to public benchmarking data to compare their spending to similar organizations to help justify spending adjustments or changing priorities," Orlando says.

(Next page: Taking frameworks one step further)

(Continued from previous page)

According to Chad Spoden, a senior security analyst at FRSecure, CISOs can take the use of a framework a step further and assign values to certain risks.

"If we use a simple formula of 'one control meet equals one point,' we could simply ask a series of questions," he says. "For every question you are meeting the framework's suggestion, you add one point. If you are not meeting the suggestion, you add zero points. In the end, we would have a numerical score to help paint our security posture."

However, he notes, the formula will vary from business to business – and is still not a panacea.

"The reality is it's a little more difficult than simply adding up ones and zeros," he says. "Some risks are more impactful than others, so there could be a weight added to the control."

How Much Do You Stand to Lose?
It's not a new concept, but the one calculation everyone should attempt to make when making budget decisions is to determine how much the organization can stand to lose. Start with assessing the risk to critical data and infrastructure, and measure costs in loss of business and/or customers if any of those assets were stolen or taken down for a period of time.

"For instance, how much would you lose – a day or hour – if your website is down?" asks Corey Nachreiner, CTO of WatchGuard. "If you are an e-commerce company, this number could be very large, but if you are a building contractor, you may be fine for a couple days without your site. Your risk depends on your specific organization."

Another component you can also use to calculate potential loss is industry regulation fines. Healthcare companies, for example, need to comply with HIPAA. Retailers need to worry about PCI. Specific fees can help guide you to the ultimate cost of a breach. Unfortunately, it is also a difficult conversation to have, notes HackerOne's Zander.

"Walking into a meeting with your fellow executives stating, 'If we get a breach, we'll lose $23 million and 40% of our customers' isn't a great way to ask for money," he says. "What it does give you is a starting point to talk about mitigation."  

Hopefully after that, you'll have some solid information to offer executives about how you calculate your security budget needs. But it bears reminding: Figuring out how much you require still continues to be more art than science.

"There is no clear-cut number CISOs or security programs should be spending on their efforts," FRSecure's Spoden says. "The amount should be based on what controls the organization finds most important, where they fall short on those controls, and which adjustments can make the biggest impact for the lowest cost. As long as you do that, you'll be spending smartly."