How much should you invest in cybersecurity?

Written By Taheera Fidaali

Q: How much should a business spend to protect themselves against cybersecurity threats?

A:

I spoke with Carmine Cicalese,  President of Cyber CIC, LLC (a cybersecurity consulting firm) to gain insights on how to hedge cyber risk as a business owner.

Here is what he shared:

The short, professional, answer is, it depends.

According to Carmine, the most important factors that  can help you decide how much to invest are the following:

  • The nature of the business

  • Number of people and devices used

  • Percentage of remote workers

  • Cloud presence in your business

  • Sensitivity of the business’s data (he calls it the crown jewels)

  • the owner’s risk tolerance

Those factors can help you in developing a risk-based approach to investing in cyber-security.

The good news is, there is a benchmark out there when it comes to spending. According to many web surveys (Canada, U.S., U.K.), most businesses spend 10-12% of their total IT budget on cybersecurity.

While this number includes technology services provided by the IT team (eg: multi-factor authentication, anti-virus, endpoint detection, email filtering, and patch management), he recommends a balanced approach that includes spending on all three areas: people, processes, and technology. 

What might be missing?

Most businesses invest in technology and are likely not investing in people and processes (i.e. developing an incident response or disaster recovery plan, and processes for executing these plans) Typically, that responsibility falls upon the Chief Information Security Officer (CISO) or another cybersecurity expert, which small and medium-sized businesses do not have in their organization.  

How to bridge the gap?

Carmine recommends starting with your IT provider, who is best positioned to provide the necessary technologies to protect your data. When you are ready to invest in people and processes, find a collaborative cybersecurity advisor you can trust, who wants to improve your team’s ability to respond to threats.

If you want to discuss your business and needs, you can connect with Carmine on LinkedIn, or reach him by email at carm@cybercic.com.

Taheera Fidaali
Previous

Generating Profit in a Competitive Market: The Importance of Tracking Product Costs and Margins
Next

What to do about the changes in capital gains tax.