If security is just another line item on your budget, then you’re doing something wrong, writes Thys Janse van Rensburg, General Manager: Western Cape at BUI.
Last week, a client contacted me to say they had “money left over” in their 2021 budget that had to be spent on security. “Can you just invoice us now and we’ll work out the details next year?” they asked. The week before that, I had received a very similar request; and the week before that, another.
For sales and bottom line this is great, but when I take my sales cap off and look at things objectively, it bothers me that a business can get all the way to November and still not be sure how they should be spending their security budget.
When it comes to budgeting for security, you can’t be speculative. You need to have a plan. And if you haven’t spent your budget, it means you haven’t done what you said were going to do and haven’t executed on a strategic plan. If you have money left over at the end of the year, did you really plug all the gaps? And have you invested enough in researching where the next gaps will be?
The fact that nothing huge went wrong this year doesn’t prove that you were well prepared. It could just be a case of good luck… And you never know when your luck will run out. You could suffer a catastrophic hack on 1 January.
I could dedicate this entire article to the short-sightedness of seeing security as just another line item in your budget. But I won’t. There’s nothing worse than an op-ed where the writer bangs on about what’s wrong with the world without even trying to venture a solution to the problem they’ve described. That’s why I’ll be putting my money where my mouth is and proposing some fixes.
Evolve, grow, and bolster
Security is an ever-evolving thing that has to be looked at on a daily basis. The effects of COVID-19 on business have been discussed ad nauseam, but the one thing it did teach us was that we need to be super flexible. If you don’t know what’s going to happen tomorrow, there’s no way your budget can.
Budgeting for security starts with having a cybersecurity plan. No matter how small your company is, you need to know what your minimum defences must be. Have you adjusted to a remote world where the perimeter now comprises myriad users and devices? Are you completely confident that you are protecting the company’s assets, identities, and data? Once you’ve got that sorted, you need to think about how you’re going to evolve in the future. The key here is to evolve, grow, and bolster! Where is your business going, and what security do you need to help it get there? And it’s not only your business that will evolve – cybersecurity challenges are ever-changing, so you have to factor that in, too.
You simply cannot budget for security on an annual basis. If your company is structured in such a way that you have to ask for budget from your CFO, I would recommend asking for a minimum amount to cover the basics and then adding a research mechanism that allows for extra spend. You need to have sufficient budget to deal with new and unexpected threats, but you also need to be constantly spending on research to reduce the chance of being taken by surprise.
To put it bluntly, if you don’t spend the money on research and development (R&D) and, more importantly, user education and awareness, you’ll eventually spend it on the hackers’ ransom demands and data recovery. And that’s before you’ve factored in the immense reputational damage that comes with any data breach.
Think like Silicon Valley’s giants
This may sound crazy, but I think that every business – no matter how small – needs to adopt a Silicon Valley approach to cybersecurity. Google and Facebook don’t think of security as a line item in their budgets. They have huge R&D teams that are constantly trying to predict the next threat and thus avert disaster. Obviously, the size of the R&D team (and the budget) will vary from business to business, but the concept remains the same.
Every business should ask itself “What can we not afford to lose?” If your business lost email for a week, what would it cost you? If your web server went down for 48 hours, could you afford to have that happen? And if it did, what would you do? In the same way that a high school needs a fire evacuation plan, you need a security disaster plan. This means having a clearly enunciated strategy and an ongoing relationship with the ‘first responders’ who will implement it. You can’t be scrabbling around for budget and searching for the names of security providers after the hackers have made off with your and/or your customers’ data.
While planning for the worst-case scenario is vital, even more important is doing everything you can to avoid a breach. Of course the high school needs clearly marked fire escapes and fully-functional fire extinguishers. But it also needs smoke detectors, fire-retardant building materials, and frequent electricity audits. It’s not rocket science. Prevention is always better than cure, but you also have to plan for the worst.
In my opinion, your security strategy should barely change from year to year. It’s all about preserving your reputation, making sure that data is safe, and that identities are 100% secure. What you need to do to make this happen will change from year to year, but the basic approach and need for risk awareness remains. Be ready and vigilant. Prepare for today and evolve for tomorrow.
I’m not a finance guy (in fact, I am banned from Excel!), so it goes without saying that I don’t know exactly how security budgets should be overhauled. But I can see that something is rotten in Denmark if managers are running around in November trying to find ways to spend their security budgets. The whole narrative needs to change. If you ask me, companies need to stop viewing security as a grudge spend and start seeing it as an opportunity… An opportunity to respect your customers, to outshine your competitors, and to drive the conversation forward.