We often hear clients and prospective clients asking “how much should I be spending on cybersecurity?” That is a very complex question and one that is not easily answered without first having an understanding of what is meant by cybersecurity. There are many different versions of cybersecurity being pushed in the market and there is no "one size fits all" solution despite what your vendor may tell you.
The key is in spending for what is right for your organization, not simply deciding that a set percentage should be spent on these solutions. Below are some key questions that you should ask of yourself:
Do I want to know the holes in my network, or do I just want the box checked that I’ve had testing done?
99.9% of companies offering cybersecurity services today are using automated vulnerability scanning tools and calling it a “penetration test.” This approach is just fine if you are just needing to check a box that you’ve had some testing done. The problem with this approach is that the people performing the “test” are usually only mildly more qualified than you are to do this testing. Why would you pay someone thousands of dollars to press the start button on some software that you could buy yourself?
On the flip side, there are a few companies that go the extra mile to make sure that your system is addressed in the same way that sophisticated attackers would interact with it. These companies are going to find the vulnerabilities that are specific to your network configuration and give you a realistic view of where your vulnerabilities are located. They’ll boast of advanced degrees in computer science or related systems and spare you the listing of certifications that anyone could get with a two-week training course.
The latter is going to be more expensive, but you’ll actually be getting what you are paying for unless you are looking to simply check the box.
Now that I’ve done testing, what am I doing to continuously monitor my network security?
This is a huge area with a new “product” hitting the market about every 10 minutes. Let me warn you here….. technology is NOT always the answer. While there are some very good products in the market, humans familiar with your network are still needed to put context to the alerts.
This is one of the biggest problems we’re seeing lately. Companies are installing the fancy new product, subsequently getting millions of alerts a day, and having no clue what to do with them. What is the point of having these great new devices if you come to the point of ignoring them from being overwhelmed? If your budget allows, look for a provider who can take the logs that you are already generating and put them in a form for you that has context and is applicable to your specific network environment.
While there is generally strength in numbers, I’d also warn you to beware of the gigantic products. There is also strength in diversity, especially in the security monitoring space. There is a new article out almost weekly about how this or that software is going to end security threats. Well, guess which products attackers are going to be studying if a large percentage of companies are using that defense? You guessed it, the one where they can gain the most access by finding ways to bypass it.
To summarize, if you have a sizable security team with good qualifications, you are probably right to go with a technology approach to monitoring. If your IT team is already strapped for time on daily activities before they even look at security monitoring, you are probably best to bring in a service that does that for you on a constant basis.
So when considering what to spend on cybersecurity, keep in mind that it is all in what you are looking for. Also remember that you have to be vigilant to make sure you are actually getting what you think you are getting, as there will be a vendor waiting to sell you anything under the sun.
It also makes sense that if a majority of your business is done through network connected devices and applications, that you should be putting a priority on protecting those things. If you absolutely must judge your security spending by a percentage, I’d say that somewhere in the range of 20-25% of your IT budget is a good start.
For weekly insights into cybersecurity, please sign up here: