Four Top Tips for Benchmarking Your Annual Cyber Security Investments

Brian Martin, Head of Product Management, Integrity360

 

How can organisations benchmark ever-expanding cyber security investments and ensure spending isn’t misplaced?

Convincing C-level executives to actually fund a better cyber security strategy is only half the challenge. The other half is figuring out how to best invest those resources.

The price of benefiting from the full range and flexibility of financial services today includes eternal vigilance against an ever-expanding diversity of cyber threats to the data, networks and systems that sustain trading and banking operations and services.

According to Trend Micro the banking industry experienced a 1,318% year-on-year increase in ransomware attacks alone in the first half of 2021. And according to IBM and the Ponemon Institute, the average cost of a data breach in the financial sector in 2021 was $5.72 million. Worryingly, Cybersecurity Ventures expects global cybercrime costs as a whole to grow by 15 percent per year over the next five years, reaching $10.5 trillion USD annually by 2025.

The worst thing to do is to ignore the cyber security investment altogether, but quantifying the objective value of such investment remains difficult. This means benchmarking is crucial, and a very useful tool to make sense of best-practice.

Benchmark 1: Industry and sector comparison

One consideration for a category-based approach to cyber security spend benchmarking means looking at budgets through the lens of what peers spend on their cyber security strategies.

According to estimates from leading analytics firm GlobalData, increased demand for cybersecurity will lead global security revenues in the retail banking sector alone, to rise from $7.9bn in 2019 to $9.8bn by 2024.This implies an annual increase in security budgets of approximately 5% per annum.

The finance sector spends more on cyber security than many other industries. However, financial firms are aware of, and can be subjected to, greater levels of cyber risk exposure than the average private-sector organisation. This suggests that an industry or sector comparison should not be the only benchmark upon which one relies for assessing appropriate spend.

Benchmark 2: Consider internal risk developments and security profile

Many organisations may adopt a rule of thumb without considering their own specific risk profile. Yet adjusting the budgetary range to fend off more data security threats or satisfy increased regulatory scrutiny might be justified by an organisation’s specific individual needs.

A business might overspend and still have gaps, or spend below the industry average and have solid protection. This makes security spending best practice an exercise in risk management. Bankers and traders must weigh fluctuating cyber risks against cost and overall value of a cyber security investment. Optimal allocation and distribution of spend is a key factor to consider.

Benchmark 3: How much is allocated per resource or employee?

Another good indicator is allocation per resource, such as the amount of remote working spend, cyber security per machine or network connection, or per employee.

According to Deloitte’s research, the average annual overall security spend per employee increased from $2,337 in 2019 to $2,691 in 2020.

How much is spent on, for instance, IT team salaries versus digital tools? Are these costs proportionate? If not, could a restructure of cyber security provision involving managed services elements, for example, represent greater value for money?

Benchmark 4: How is spending distributed across categories?

Similarly, assess relative proportions of revenue spent per category. Are cyber security budgets perhaps over-weighted towards hybrid working or cloud, or authentication of identities, or threat intelligence? Traditionally, the majority of cyber security spend has been allocated to protection and prevention. However most good security frameworks encourage a balance across identifying threats, risks and vulnerabilities, Analysis, Detection, Response and Recovery, and not just prevention.

Gartner has suggested a typical cyber security budget breaks down to:

  1. 50% for operational infrastructure security, from general network, endpoint and data security to identity, access and privilege management
  2. 20% for vulnerability management and security monitoring, including discovery, scanning and remediation
  3. 16% for governance, risk and compliance concerns
  4. 14% for application security, including ongoing penetration testing

It could be that an organisation benchmarks well on overall spend for their particular industry but overspends in certain categories and under-invests in others.

Results are not the only metric

When it comes to cyber security, perhaps more than in most areas, examining results is useful but not the only relevant measure. The level of nuance can in fact make managing cyber security investments the biggest cyber threat-related challenge of all.

Absence of attack alone does not prove either that money has been well spent, or even that a product or solution is doing the job of fending off aggressors. Yet even with cyber-attacks rising globally, and predictions of further rises in 2022, it’s rarely prudent to simply spend more.

When it comes to best practice, benchmarking is therefore essential for ensuring an organisation not only spends enough but in the right areas.

 

spot_img

Explore more