Prepare for the Unexpected: Costs to Consider in Security Budgets

The year 2020 catapulted cybersecurity from a technology problem to a business issue. Now, when organizations plan for digital transformation, leading with security is the norm. As it's now top of mind for business and technology leaders, cybersecurity should be a significant part of every budget — factoring in necessities such as tooling, consulting services, training, updates, new licensing, and even an insurance policy.

However, as budgeting traditionally occurs in silos, security leaders are still concerned the committed spend will not be sufficient. A recent AT&T Cybersecurity poll showed that nearly one-third (28%) of cybersecurity professionals are concerned about the prioritization of security investments.

As we near the end of the year, a time when security budgets are often reassessed, let's take a look at common direct and indirect security costs — and how organizations can get smart with their security spending.

The Direct Costs: Planning for Unexpected Disruptions
One of the most frequently overlooked direct cybersecurity costs is what organizations have been experiencing since early 2020 — the unexpected disruption and associated expenses as a result of the pandemic. In March 2020, when homes became offices and employees became remote workers, organizations struggled with unexpected cybersecurity expenses such as basic cybersecurity training, extra VPN licenses, extra licenses for secure email gateways, additional managed security services, and other typical cybersecurity budget line items.

Other unexpected, but real, disruptions include a cyberattack and its necessary remediation, unexpected business growth — either organically or through acquisition, and rapid change to accommodate competitive business initiatives.

Planning and budgeting for such disruptions is something a well-organized and strategic company considers as an unknown reality on a yearly basis. Organizations should use a strategic planning process to determine possible events that are likely and unlikely. Understanding where business risk may creep in over the course of the year helps organizations have a realistic budget that can help to successfully survive disruptions.

Failure to plan for the unexpected disruption can have dire consequences. For example, some businesses experiencing erosion from more nimble competitors could not adapt during the pandemic. Among other issues, the switch to everything remote, virtual, and touchless accelerated the decline of these businesses. Formerly stalwart brands have either gone out of business completely or are in restructuring mode.

The Indirect Costs: Crisis Management
On the other side of the coin lie indirect security costs. The most overlooked indirect cybersecurity cost is directly related to unexpected disruption: crisis management. In the event of an unexpected disruption, organizations may have to enlist the help of crisis experts such as outside cybersecurity professionals for remediation of an issue, the last resort of payment for a ransomware attack, or other crisis expenses.

Many organizations fail to think about a crisis situation and its remediation tactics. Planning for a crisis is not a failure — it's being realistic and strategic. Failing to plan for a crisis as part of an unexpected disruption can cause significant impact to the business including the loss of customer loyalty, shareholder confidence, tarnishing of the brand, and ultimately, the business. While it's true that planning for a crisis may cost a company more day-to-day (depending on the amount of work done, the industry and the geographies to be covered), it is still far more cost effective than being unprepared in a crisis, which can cost up to millions of dollars in mitigation and potentially hundreds of millions in reputation and shareholder value.

Cybersecurity is no longer an isolated technical team or issue; it's a business enabler. Organizations that update business models to include cybersecurity as part of a strategic planning process may be able to withstand unexpected disruptions better than organizations that view cybersecurity as simply a technical problem to be solved.