Managing a Cybersecurity Budget: Where to Begin?

7 minute read

June 2021

fight or flight

As humans, we all have fight or flight instincts that kick in during dire situations. Our brains are hard-wired to either fight threats or run away from them to protect ourselves and our families. You’ve seen stories of mothers lifting up heavy automobiles to save their children, people developing superhuman speed to dodge a vehicle careening out of control, and many others.

In the third-party cyber risk management world, fight or flight looks a bit different. There’s no surprising physical capabilities that emerge. However, it manifests as an emotional response in the IT world, especially if you have considerable responsibility and a shoestring cybersecurity budget. The scenario of managing a seemingly infinite amount of third-party assessments with a finite budget for cybersecurity is enough to send chills up your spine. And, if you default to flight, your flight response might be to look up your favorite recruiter’s phone number or a job-hunting website. 

Boards and senior executives experience a visceral reaction each time they see a news segment regarding a breach. While stock prices don’t always fall significantly, someone within the organization takes the fall and gets the “opportunity to excel elsewhere” when it occurs on their watch.

Suffice it to say that any IT manager or CISO worth their salt should have a solution for maximizing their current budget to minimize risk. But what happens when the budget falls short of what is necessary to protect the company from threats?

The first step is developing a cybersecurity budget request that clearly compares needs with current allocations and target allocations. It should also outline the various threats and risks and the cybersecurity costs anticipated to adequately manage risk.

Common Objections to Increasing Cybersecurity Budget

Allocating funds to a new line item can be tricky, particularly when those funds don’t explicitly correlate with profitability. It’s relatively easy to justify a new salesperson because their role is designed to bring in more income.

However, many companies balk at adding funds to their cybersecurity budget when they have not yet experienced cyber breaches or the resulting fallout. Even though you can justify the cost of cybersecurity in terms of how it protects your company from threats and PR nightmares, it can still be a tough pill to swallow. 

Regardless of the industry you serve, the best way to look at investments in cybersecurity is that they’re a solid defense that protects your bottom line and market position. However, knowing how your industry views success is critical for determining how you approach leadership.

Suppose you are in the insurance space, for example, where growth is measured in market capture of a percent. In that case, your executives will look at spending very differently than if you are in a more innovative and nascent market. The more disruptive or tech-focused your industry, including companies that must justify spending to venture capital investors or pre-IPO valuations, the more open leadership will be to cybersecurity budget line items.

On the other hand, if you are in manufacturing, where margins are measured using graduated cylinders, IT leaders must justify every dollar spent.

Related: The ONE Thing All Modern Third-Party Cyber Risk Management Programs Do

The Realities of Measuring the ROI of Cybersecurity Budgets

There’s one fact every business must know about the ROI of managing cyber risk. It doesn’t exist unless you can find a company of comparable size with the exact same approach to risk management. This company must have experienced a breach or loss that you could be vulnerable to, and they must be willing to share the hit to their bottom line. Only then can you calculate the ROI of increasing the budget for cyber risk management activities. 

ROI is elusive when it comes to managing risk. It is a foolhardy exercise that rarely presents an analysis that justifies your proposal to get some help.

Identifying Your Cybersecurity Budget Capacity

Let’s go back to the scenario above where news breaks of a breach and senior leadership and the board have a knee-jerk response. Assuming you don’t choose the nuclear flight response and leave the company, it’s time to find a way to react appropriately. 

Regardless of your cybersecurity budget breakdown, you, your team, and IT leaders must work together to find a way to manage risk with the funds currently available. 

Identify Third-Party Vendors

Depending on the maturity of your cybersecurity risk management strategy, this process may be as simple as pulling up your list of cyber vendors. On the other hand, if this list doesn’t exist anywhere, it’s time to develop the list.

First, you’ll want to work with Accounts Payable to get a report of every dollar spent in the last—let’s say—three years. Be sure to get the commodity code associated with each transaction.

Next, you’ll need to remove all commodities unrelated to or not associated with the exchange of digital information. Keep in mind that intellectual property doesn’t have to be digital. Additionally, if you provide an engineered solution or manufacture a product requiring a non-analog transfer of information, you should also consider OEM devices. You probably already are aware of negotiated multi-year contracts. However, you’ll need to pay attention to direct-spend transactions as well.

With this list in mind, it’s time to sort each transaction by commodity and spend. Start with the most obvious vendors and most significant expenditures. While ultimately, you’ll want to comb through all of them, you have to start somewhere. 

The obvious additions include software vendors that you spend a million dollars with each year. Potentially less obvious considerations might include printing companies, depending on what they print for you and your industry. Is there any secure information, for example, healthcare or finance, that might transfer to them? And if you’re uncertain, contact the department at each level to learn more.

Assess the Cost of Cybersecurity Assessments

Once you have a solid list, it’s time to compare the information you need for security evaluations with what you know you have. This is not the time to dive deep into each company. Instead, think about the big picture categories based on the data you pulled from Accounts Payable and any colleagues who helped you develop the list. 

Then you’ll need to identify the cost of performing each assessment. Some may be considerably more expensive, while others may be a lighter lift. However, it may be easiest to estimate an average. This cost depends on your methodology, which might mean doing it manually with a spreadsheet, using Survey Monkey or Google Forms, our top-of-the-line GRC platform, or something else. 

Now that you have an approximate cost, you can compare that to your cybersecurity budget and determine how many you can do and how to prioritize them. Simultaneously, you can let your leadership know what is possible with your budget and how much more you’ll need.

A Better Way to Manage Third-Party Risks

If you’re given a monumental task with minimal resources, your management is not yet acutely aware of the importance of cybersecurity and brand reputation.

According to a Ponemon study, 53% of organizations have experienced one or more data breaches caused by a third party, costing an average of $7.5 million to remediate. Moreover, 80% of organizations believe vetting third parties is critical, yet 60% of organizations believe they are only somewhat or not effective at vetting third parties.

While you can perform cybersecurity risk assessments manually, it takes time and resources, and it can be challenging to chase down assessment forms from third parties. Moreover, you need to monitor those third parties to ensure they perform within your risk tolerance levels.

However, there’s another option– enter CyberGRX. We’ve helped thousands of enterprises overcome the limitations of traditional risk management using our database, the world’s first and largest third-party Exchange: 12,000+ assessments, 200,000 companies, real-time threat monitoring, and predictive risk models. Structured, standardized data creates the foundation for advanced analytics and paves the way for machine learning to analyze the trends– we call it cyber risk intelligence. Cyber risk intelligence makes it possible to use information from multiple data sources to assess and improve your organization’s risk posture.

Third-Party Risk Management Services Maximize Your Cybersecurity Budget

For risk managers working on a tight cybersecurity budget, an exchange reduces human resources and costs for all involved. Third parties fill out one dynamic assessment and share it with anyone they choose, which saves them a tremendous amount of time and builds trust. Simultaneously, enterprises can access completed assessments and predictive risk profiles, to help you make faster, more informed decisions about your third parties. As a result, you’ll spend less time chasing assessment data and more time actioning the information.

Even if you’re establishing third-party risk management protocols due to leadership’s knee-jerk response to a breach, using a solution like CyberGRX can help you minimize future risk. Moreover, you’ll be better able to vet and select future third-party vendors based on their risk, and give your board and leadership confidence in your ability to manage your budget and cyber risk.

CyberGRX has deep experience and expertise in third-party cyber risk management for enterprises. Find out how we can help your organization today.

Related Articles

About Us

ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit