This guest blog was contributed by Edward Tuorinsky, CEO and President, DTS
We’ve entered an era of new business risk. Our fast-evolving IT landscape comes with even faster-evolving cybersecurity threats. Companies understandably want to protect their systems, data, and customers, but at what cost? How much is enough? Who should handle the work? The answers are increasingly less about IT structure and digital assets and more about an organization’s appetite for risk.
A review of top considerations can clarify the timing and approach for budget-minded companies.
The Bottom Line
Companies of every size are facing choices when operationalizing cybersecurity. Which standards and certifications will you follow? What’s required of you contractually or by partners? Will you outsource or hire for the expertise needed? These decisions come back to the budget and whether a company can accept the potential losses from a cybersecurity incident.
The costs for this new operational expense are significant, including an initial investment to establish compliance or meet a minimum level of cybersecurity, and ongoing costs to monitor and maintain systems. Although many suggest that 10-20 percent of your IT budget is enough, that estimate hasn’t held up in the market.
I tell companies to expect that the initial implementation will require an investment of 1-5 percent of their total operation costs during a process that takes 4-20 months. Once established, maintaining cybersecurity is typically based on the number of tech-using employees and ranges from $50 - $300 per person per month.
The Process is a Journey of Decisions
Implementing cybersecurity impacts every aspect of a business, so set a pace for a long journey, not a sprint. Although the industry has established best practices, the nuances of technology and company structure mean that your journey will be unique and that options exist at every stage of the process that can impact cost.
Assess your posture: For those just getting started, conducting a gap analysis returns an incredible amount of information. A third party can do the assessment for a one-time fee.
Results will help company leaders understand their scope: Where is the information that needs to be protected? How does data flow? What systems are at risk from outside? What processes will need to change?
Architecture: Knowing where you have risk, the next step is to look at how your systems are structured and where protection is needed. Well-organized and efficient systems based on zero-trust principles cost less to protect. Modernizing IT or moving to the cloud can pay for itself in savings.
Remediation: The heavy lift for cybersecurity comes from implementing technical controls, and establishing policies and procedures for cybersecurity. The options here include hiring cybersecurity expertise in-house, outsourcing, or a combination of both.
We’ve seen several options being marketed that seem to help lower remediation costs – from overseas service providers to limited-scope packages to do-it-yourself programs. Each comes with a level of risk so it’s essential to make well-informed choices and consider your company’s long-term objectives.
Certification: The cost of accreditation, often involving a third-party audit, depends on scope. For some companies, getting that stamp of approval is critical to winning new work or keeping partners or customers. The ROI is high. Others may pass the costs on to customers but highlight their security as a competitive advantage.
Monitoring, Management, and Maturity: Cybersecurity is not set-it-and-forget-it. The managed services, which include monitoring and auditing systems and making updates, are about follow-through. Are you doing what you or say you're doing to protect data? Are you keeping up with changing schemes and threats through continuous process improvement? Do your employees follow protocols?
This step is really about operationalizing the costs of cybersecurity. Although the initial investment and ongoing costs are separate numbers, they belong on the same budget line. There’s no sense in getting compliant or earning a certification and then not maintaining security.
It will be interesting to see how the Department of Defense handles contractors who must be CMMC certified yet choose not to maintain compliance or to cut corners in the coming years. It will set the tone for all US businesses. Whistleblowers, the False Claims Act, and costly security incidents are powerful deterrents, yet some companies will risk it all to save the spend.
An Inside Job or an Outside Expert
Can you handle cybersecurity yourself? The work is doable for companies with a good understanding of cybersecurity concepts, support from leadership, the budget for expertise and training, and plenty of time. Few small businesses can afford the personnel to manage the technology parts of the work. Still, they may be able to handle documentation or some maintenance tasks to help defray costs.
Most companies will need outside expertise for some or all of the work. A good partner will take the time to understand your scope, educate decision-makers, explain options, and inform you of the associated risks.
While outsourcing is more cost-effective, it requires time and attention from company leaders and IT staff. Be cautious about consultants who don’t define their scope or schedule – or say they can help with remediation or certification for a monthly fee – because there’s no incentive for them to get you certified or protected quickly.
The Long Game
Budget considerations for cybersecurity demand a future focus. The need for data security isn’t going away, so delaying only increases business risk. Implementing basic controls costs far less than recovering from even a small breach.
Any big operational change is going to take time and creep into other areas and budgets. The process often highlights outdated systems and inefficiencies that need to be addressed. And any change that involves people will be met with resistance. That’s why it seems easier for start-ups to embrace cybersecurity than for established firms.
For companies still considering their timing and approach to cybersecurity, many factors can impact costs, but none of them decrease by waiting.