Determining cyber security spend – what’s enough?

  • Date 11 Mar 2022
  • Filed under Insights
Cyber security strategy

Cybercrime can affect businesses of all sizes in every sector. In our inherently digital world, it is no longer a question of “what if”, but “when?”

Still for many Australian businesses, defences fall short – a survey of 1400 global IT decision makers showed that 76 percent were hurt by their lack of cyber preparedness in 2021. It’s no surprise why almost 80 percent of senior IT and security leaders still lack confidence in their cyber security posture.  Committing to bolstering cybersecurity budgets in 2022, some organisations are increasing budget allocations by as much as 31-51 percent, whilst the majority are raising budgets between 11-33 percent.

You might be looking at those figures and thinking that’s a lot, and you might also be thinking about your budget and wondering ‘is it enough’, or even ‘is it too much?’

Making an accurate decision on how much to invest in cyber security is not one that can be made easily. One cybersecurity investment strategy does not fit all, as organisations and individuals clearly have different drivers.

For many organisations it is often not clear what investments are efficient and what investments provide enough protection. Many worry about not having enough budget, the right team with the right knowledge, the latest technology, and on top of that many worry that they might still be impacted by a cyber-attack despite the fact that they did everything to prevent one.

To support decision-making in cybersecurity and to deal with uncertainty and complexity in decision-making, organisations acknowledge that cyber risk management is a way to support investment decisions. However, within the evolving cyber threat environment this can be slightly more difficult in practice than is described in theory.


A rational approach 

A rational approach to arrive at a cost would be to define the adequate security levels based on your organisations risk profile. The risk profile relates to current risks that concern the organisation and the maturity level relates to the effectiveness of security capabilities to adequately address those risks.

The maturity level can be useful in guiding an organisation towards its goal. It can also be used to evaluate an organisation’s current processes, practices and functions against a targeted future state and help make decisions about were to invest scarce resources to achieve the maximum benefit.

This involves a cost-benefit analysis. The approach includes identifying relevant risks, vulnerabilities, the probabilities of successful attacks, and all the possible costs to mitigate the vulnerabilities. Then, assessing how to defend against those threats, what mitigation actions you will take in the event of a cyber-attack, and how to best spend the resources in a prioritised way that achieves ‘bang for buck’.

At NRI, we consider this a holistic approach to cyber security with the desired outcome being an integrated solution that incorporates:

  • People, processes and technology
  • A clear understanding of the objectives
  • Protection of workloads across all domains
  • A solution which combines the ability to identify, detect, protect, respond and recover
  • A combination of system monitoring, vulnerability management and endpoint protection
  • Countermeasures that are proportional to the value of the assets being protected.

Winning over the jury 

In our experience, it is realistic to expect that investments are influenced by organisational characteristics but also by the individual perspective of the decision-maker within that organisation. Consider an independent assessment that gives decision makers the insights needed to invest appropriately in cyber security.


How NRI can help

When you know you’ve got the right security capabilities and processes in place, you’re free to innovate confidently.

For many years now, we’ve worked with Government agencies, commercial organisations and infrastructure providers alike to uphold that gold standard of security.

Our experience protecting the most complex, and critical environments, and our partnerships with leading security vendors, means we’re able to protect data, availability, integrity and confidentiality – while adhering to the strictest of security and compliance protocols.


More on our Security capabilities