As 2023 draws to a close, cyberattacks proliferate, and budgets continue to rise, CISOs must develop and present a realistic cybersecurity financial plan that will help protect their organizations. Such a budget requires buy-in from board members and sets feasible goals for cyber risk reduction in 2024.
A truly optimized cybersecurity budget means that the highest return on investment will be achieved. Creating such a budget—and successfully explaining it and getting approval for it from executives—sounds like an impossible task. How can CISOs create and present a reasonable cybersecurity plan and budget to their boards?
To find out how this goal can be achieved, we spoke with CYE’s founder and CEO, Reuven Aronashvili, who offered these essential tips:
1. Consider KPIs
When planning a cybersecurity budget, it’s important to consider three KPIs:
- What is the current organizational cyber risk? To determine this, it’s important to understand how cyber risk is translated into financial risk. For example, it might be determined that a data breach could cost an organization as much as $200M.
- How much of the risk is acceptable, and how much should be mitigated? Not all risk can or should be mitigated; residual risk is never zero. The CISO must determine how much risk should be reduced; for example, from $200M to $50M, and how much it would cost to do so. This price of mitigation then becomes the basis for the cybersecurity budget.
- How much of the risk can be transferred to a third party? For example, if a company expects to be left with $50M of cyber risk after mitigation, then it might consider purchasing cybersecurity insurance for $30M, leaving $20M of organizational risk.
2. Consider Complexity, Adjustments, Compliance, and ROI
When planning a cybersecurity budget, think about not just the cost of a tool, but also its complexity. What will be the effect on people, processes, procedures, and operational capabilities? These are important parameters to consider.
In addition, it’s essential to think of risk as dynamic and adjust the budget accordingly. For example, a retail company might decide that cyber risk in March is not as significant as cyber risk in busy December, which might threaten a sizeable number of sales. As such, the company may choose to allocate resources differently during the holiday season.
Any budget will need to prioritize regulatory requirements, since compliance is non-negotiable. For example, financial organizations will need to have Data Loss Prevention (DLP) to comply with various regulations; this is a given.
Finally, it’s important to only approve new initiatives according to your organization’s true needs. A thorough ROI analysis should be required for the purchase of every new tool to determine that it will be a worthwhile expense.
3. Consider New Threats and Requirements
Any cybersecurity budget for 2024 should be sure to consider these new threats and requirements:
- Attacks are becoming much more personal, targeting C-level executives. For this reason, it’s important to budget for the personal protection of VIPs.
- Risk from AI has grown exponentially; any cybersecurity budget and strategy should consider how to mitigate this threat.
- Regulatory requirements are quickly becoming an offensive tool. For example, we have seen attackers threatening to report organizational non-compliance to the SEC. For this reason, it’s important to understand and comply with regulations so they don’t become weak points. In the event of a breach, it’s crucial to be proactive about communicating it to prevent extortion from attackers.
- Frameworks like NIST are adding requirements around governance, requiring management to play a greater role in cybersecurity. Consequently, budgets should have an emphasis on cyber risk management optimization and quantification in 2024.
4. Be Absolutely Clear
By presenting acceptable residual risk, mitigated risk, and transferred risk to the board, a CISO can be very clear about
- The goals for cybersecurity in 2024
- Which specific projects will help the organization achieve those goals
- How long those projects will take
- How much they will cost
With this clarity, the budget discussion becomes easy: The board can truly understand cybersecurity risk and what to do about it. Consequently, accountability is shared with the relevant decision makers.
Want to learn more about building a 2024 cybersecurity strategy and budget? Watch our webinar.
