7 Tips the Pros Won’t Tell You About Budgeting For Risk

Every business must create its own process for identifying, testing, and budgeting for risk. We studied the data and talked to several industry-leading CSOs to find out how they do it.

How much should your company spend on security? The simple answer: It depends. Whether we’re talking physical security, cybersecurity, or risk mitigation practices, every company will have different requirements. Like a fingerprint, each business is unique. There are often hundreds of factors, both internal and external, to consider. Things like a business’s industry-type, the sorts of proprietary or sensitive assets it manages, the regulatory necessities it faces, the complexity of its IT infrastructure, the chance of it being a target for attacks (target value), and other factors will play a key role in an organization’s decision making.

A more useful question might be: How will your organization determine what your security budget should be? Determining the right level of security spending is essential to appropriately responding to a threat

Many factors drive security spending

Recent research provides some context in terms of how much companies are spending on protection. According to a 2019 survey that asked executives worldwide what percentage of their company’s total budget was represented by security; the average response was 15%. Nearly one quarter of the organizations (23%) devoted 20% or more of their budget to security.

Company size does not not seem like a major factor. Small businesses, on average, spend an equal percentage on security as larger enterprises. Regarding industries, the sectors devoting the highest percentage of budget to security are professional services, financial services, and technology.

When asked to name the top investment needs at their company, 40% of IT executives listed cybersecurity, tied with accelerating operational efficiency. The remaining 20% divided out among improving consumer experience, business development, transforming existing business processes, and improving profitability.

Another survey of security experts worldwide, shows that nearly two-thirds of enterprises (60%) plan to increase security budgets in the next year by an average of 13%. Among the factors that determined distribution of security spending were best practices (74%), compliance mandates (69%), responding to a security incident that happened to the organization (35%), mandates from the board of directors (33%), and responding to a security incident that occurred at another organization (29%).

That being said, here are 7 tips for determining a security budget:

Tip 1: Emulate how security companies budget safety

At Chesley Brown, we provide risk mitigation and full spectrum security services.

“Budget priorities are determined by trends and data. Trends to assure that best practices are in place and that your property doesn’t fall below comparable standards. Data can tell us a lot. By analyzing the data it allows us to show gaps and aid with educated predictions,” says Brent Brown Chairman and CEO of Chesley Brown Companies. “Data alone doesn’t tell the whole story. Analyze it with context in mind — beyond just the ‘fence line’ of a property.”

Tip 2: Prioritize improving operational efficiencies to keep costs down

“Better planning, preparation and the storage of essentials are several trends we’ve seen with the coronavirus outbreak” says Brown. “Technology that has been available for the last several years will no longer have to prove its place in a security management plan, especially when you weigh the efficiencies gained by leveraging these technologies. We do everything in our power to keep things cost-neutral over time, but like most organizations, we’re being called on to cover a broader and wider variety of threats today. The fact is, we must realize operational efficiencies if we want to stay ahead. Were it not for the improved efficiencies we’ve gained through technology, spending would be up year over year,” he says.

Tip 3: Use a controls framework to define policy and needs.

To help decide how the organization should spend on safety, Chesley Brown recommends using a controls framework to outline the technical, administrative and physical policies, techniques and equipment you want to put into service.

“The need for security is indisputable, in fact, in times of economic unrest the need increases,” Brown says. “The challenge, however, is if the business(es) we protect are economically harmed then what can they sustain? How fast will our clients return to prosperity and what are the new cost factors not previously considered? Some of those items are Personal Protective Equipment (PPE), hazard pay, sick leave for extended periods.”

By using a controls framework, you can speed up decision making, leverage existing know-how, generate maximum impact while still reducing risk across the organization.

Tip 4: Identify the point of diminishing returns.

To determine the ideal level of spending, companies need to know at what point additional expenses yield a marginal return regarding risk reduction. Some safety expenses are predetermined. Few companies have the luxury of identifying what to spend based solely on personal choice. Most businesses face regulatory necessities, customer expectations, or partner needs that dictate additional spending.

“Since security is the one entity that must remain in place, new spending might include additional costs to keep properties running,” Brown says. “Without question, the biggest change will be those that never had a crisis management/continuity plan (or haven’t updated theirs for a while) quickly realizing the need to have one. These plans will also need to include a new chapter.”

Remember, some companies might place a higher premium on security and privacy than others, possibly even choosing this as a strategy of differentiation from competitors. You should discuss this with your stakeholders ahead of time to establish clear objectives.

Tip 5: Perform regular risk assessments.

Performing regular risk assessments as part of your routine security regime can help you answer the question of how much to spend.

“If the threat doesn’t change, then additional spending is unlikely to yield better results,” Brown says. “If we realize certain areas need better coverage, then we prioritize that. What’s important is to never become complacent. It’s all about making the best decisions using objective information.”

Tip 6: Create a framework to measure security maturity.

It is very difficult to determine how much money is enough, and what the right level of expenditure needs to be. Chesley Brown has adopted a framework, the Chesley Brown Risk Mitigation Framework, to measure security effectiveness, maturity, and efficiency. This ongoing evaluation is used to justify additional investment as needed and put in place additional controls and sub-controls. If investment is preventing you from fully imposing sub-controls, then you should add that to our budget request. Data combined with evolving business needs and current threats should be weighed in conjunction to your budget requirements.

Tip 7: Justify spending needs based on current threats.

Implementing needed security improvements can be delayed or cancelled because of lack of investment. These delays slowly erode whatever benefits your security program would have provided. You can avoid security malaise by analyzing emerging threats often, maintaining regular contact with stakeholders, board members, and peer organizations; performing regular threat assessments and leveraging any available data to validate spending decisions.

The Truth Is

There is  no silver bullet solution for establishing an organization’s security budget. Company size, culture, products, assets, regulatory and compliance requirements all need to play a major role in decision making. With so many considerations it is a complicated and time-consuming process. Many business owners struggle to fully grasp the myriad risks they face. That’s why we’ve built a framework that teaches businesses how to anticipate and navigate risk before it becomes a crisis. Be sure to read Chesley Brown’s “The Business Continuity and Crisis Management Handbook” for our comprehensive list of tips and strategies for preparing for and navigating a crisis effectively.