“Every organization has its own cybersecurity journey.” In this digital world, understanding the role of cybersecurity and how it impacts each and every organization has become important. To bring in a vision that complements the idea of security and plan a budget for your potent organization, the event on “How to Plan a Cybersecurity Budget?” simplifies the journey. This exemplary event was moderated by our renowned personality from Ambisure Technology Pvt Ltd, Mr. Ajay Bhayani. Highlighting the event, we had with us our guest speaker Mr. Subramaniam Gupta Boda, who is an industry veteran with three decades of expertise in technology and security. He is a digital transformation and security professional, working with Brigade Group as a Head of IT and Digital Security. In his previous roles, he was a Chief Technology Advisor at NABARD and Global CISO at GMR Group. He also held his presence in companies like BHEL and Mercedes.
Guiding thoughts– Every organization is unique in its own sense. How the organization operates, how many digital systems are operational, and what are the current business regulatory models are questions that need to be answered. Keeping this in mind, a cybersecurity budget turns out to be complicated and has no easy answers. There are variations in inter and intra-level industry. It depends on the nature, size, information infrastructure, information assets, regulatory requirements, and the threat landscape of the business. To start the Budget Process, the plan includes Initiative Identification, Cost Identification, Budget Approval, Execution & Protecting Budget, and ROSI Value/Benchmarking.
Initiative Identification– Starting with the identification, it should be business-driven wherein cybersecurity is a business decision. It should also add a risk-driven approach wherein there is reduction/mitigation and risk prevention. Thirdly, there should be an evaluation of the Current Security Landscape. And finally, it should be Benchmark driven i.e., who has installed cybersecurity systems before us, or has our competitor installed it? Apart from the traditional emphasis on Confidentiality, Integrity, and Availability, the idea of Privacy, Safety, and Reliability has become equally important. Interestingly, it was discussed that awareness of cybersecurity is necessary, but awareness alone can’t solve big issues as challenges in the form of ChatGPT can emulate genuine communications. Businesses handle emails for communication in a fast-paced world, yet there is a level of ignorance about what might happen if someone attacks and destroys business operations.
Cost Identification– Once we understand the risks associated with the digital world, a foolproof cost plan will be needed to estimate tools and products that will be sufficient for safeguarding businesses. Cybersecurity organizations face a critical challenge. They lack a single omnipresent system for all security threats.
Here, the security landscape is huge. Different as well as similar security measures cost the same which becomes equally challenging. Questions like should I look for a full suite of products covering everything from the same vendor or I should go for the best-of-breed product? One can take into consideration the type of company, the size of the company, and the choice of CISO (Chief Information Security Officer) for product decisions and cost evaluations. Also, the cost is not just the cost of the product, but the cost of buying, implementing, and operating the product. Coming to the budgeting aspect, two polls were released for the audience on What do you think is currently your company’s cybersecurity budget?
So, 45% said that their current budget is appropriate
- 55% said that they are under-funded
- 50% said that the budget is going to be the same
- 45% said that it’s going to increase
- And, 5% said that it’s going to decrease
And, the next question was, How hard is your cybersecurity budget approval?
The results of the poll were
- 70% say it’s a vicious cycle to get the budget approved
- 20% are dodging the budget, like floating on the murkier water
Budget Approval- When the budget is decided, a discussion on the necessity of security and the gravity of cybersecurity threats has to be considered. Inquiries are made regarding
- The number of attacks a company witnessed,
- Why is cybersecurity so important when other things are on priority,
- And do we really need this protection?
A million-dollar question is, Is protection directly proportional to spending? An annual loss expectancy is charted to see the number of incidents vis a vis the potential loss per incident. The business impact and balance protection with business needs are also required for approval. To get the budget approved, the cyber security department needs to communicate the risk, get the leadership to articulate risk tolerance, and demonstrate that cybersecurity investments aren’t just for risk mitigation but are also growth enablers. Once the budget is approved, a return-on-security investment is anticipated by the business organization. For more information, visit the 2nd part of this session on How to Plan a Cybersecurity Budget.
Join in each session! Registrations Open now.
If you are an Enterprise Leader and would like to join our CXO Junction City Chapter Groups, register yourself here: