7 Tips the Pros Won’t Tell You About Budgeting For Risk

Every business must create its own process for identifying, testing, and budgeting for risk. We studied the data and talked to several industry-leading CSOs to find out how they do it.

How much should your company spend on security? The simple answer: It depends. Whether we’re talking physical security, cybersecurity, or risk mitigation practices, every company will have different requirements. Like a fingerprint, each business is unique. There are often hundreds of factors, both internal and external, to consider. Things like a business’s industry-type, the sorts of proprietary or sensitive assets it manages, the regulatory necessities it faces, the complexity of its IT infrastructure, the chance of it being a target for attacks (target value), and other factors will play a key role in an organization’s decision making.

A more useful question might be: How will your organization determine what your security budget should be? Determining the right level of security spending is essential to appropriately responding to a threat

Many factors drive security spending

Recent research provides some context in terms of how much companies are spending on protection. According to a 2019 survey that asked executives worldwide what percentage of their company’s total budget was represented by security; the average response was 15%. Nearly one quarter of the organizations (23%) devoted 20% or more of their budget to security.

Company size does not not seem like a major factor. Small businesses, on average, spend an equal percentage on security as larger enterprises. Regarding industries, the sectors devoting the highest percentage of budget to security are professional services, financial services, and technology.

When asked to name the top investment needs at their company, 40% of IT executives listed cybersecurity, tied with accelerating operational efficiency. The remaining 20% divided out among improving consumer experience, business development, transforming existing business processes, and improving profitability.

Another survey of security experts worldwide, shows that nearly two-thirds of enterprises (60%) plan to increase security budgets in the next year by an average of 13%. Among the factors that determined distribution of security spending were best practices (74%), compliance mandates (69%), responding to a security incident that happened to the organization (35%), mandates from the board of directors (33%), and responding to a security incident that occurred at another organization (29%).

That being said, here are 7 tips for determining a security budget:

Tip 1: Emulate how security companies budget safety

At Chesley Brown, we provide risk mitigation and full spectrum security services.

“Budget priorities are determined by trends and data. Trends to assure that best practices are in place and that your property doesn’t fall below comparable standards. Data can tell us a lot. By analyzing the data it allows us to show gaps and aid with educated predictions,” says Brent Brown Chairman and CEO of Chesley Brown Companies. “Data alone doesn’t tell the whole story. Analyze it with context in mind — beyond just the ‘fence line’ of a property.”

Tip 2: Prioritize improving operational efficiencies to keep costs down

“Better planning, preparation and the storage of essentials are several trends we’ve seen with the coronavirus outbreak” says Brown. “Technology that has been available for the last several years will no longer have to prove its place in a security management plan, especially when you weigh the efficiencies gained by leveraging these technologies. We do everything in our power to keep things cost-neutral over time, but like most organizations, we’re being called on to cover a broader and wider variety of threats today. The fact is, we must realize operational efficiencies if we want to stay ahead. Were it not for the improved efficiencies we’ve gained through technology, spending would be up year over year,” he says.

Tip 3: Use a controls framework to define policy and needs.

To help decide how the organization should spend on safety, Chesley Brown recommends using a controls framework to outline the technical, administrative and physical policies, techniques and equipment you want to put into service.

“The need for security is indisputable, in fact, in times of economic unrest the need increases,” Brown says. “The challenge, however, is if the business(es) we protect are economically harmed then what can they sustain? How fast will our clients return to prosperity and what are the new cost factors not previously considered? Some of those items are Personal Protective Equipment (PPE), hazard pay, sick leave for extended periods.”

By using a controls framework, you can speed up decision making, leverage existing know-how, generate maximum impact while still reducing risk across the organization.

Tip 4: Identify the point of diminishing returns.

To determine the ideal level of spending, companies need to know at what point additional expenses yield a marginal return regarding risk reduction. Some safety expenses are predetermined. Few companies have the luxury of identifying what to spend based solely on personal choice. Most businesses face regulatory necessities, customer expectations, or partner needs that dictate additional spending.

“Since security is the one entity that must remain in place, new spending might include additional costs to keep properties running,” Brown says. “Without question, the biggest change will be those that never had a crisis management/continuity plan (or haven’t updated theirs for a while) quickly realizing the need to have one. These plans will also need to include a new chapter.”

Remember, some companies might place a higher premium on security and privacy than others, possibly even choosing this as a strategy of differentiation from competitors. You should discuss this with your stakeholders ahead of time to establish clear objectives.

Tip 5: Perform regular risk assessments.

Performing regular risk assessments as part of your routine security regime can help you answer the question of how much to spend.

“If the threat doesn’t change, then additional spending is unlikely to yield better results,” Brown says. “If we realize certain areas need better coverage, then we prioritize that. What’s important is to never become complacent. It’s all about making the best decisions using objective information.”

Tip 6: Create a framework to measure security maturity.

It is very difficult to determine how much money is enough, and what the right level of expenditure needs to be. Chesley Brown has adopted a framework, the Chesley Brown Risk Mitigation Framework, to measure security effectiveness, maturity, and efficiency. This ongoing evaluation is used to justify additional investment as needed and put in place additional controls and sub-controls. If investment is preventing you from fully imposing sub-controls, then you should add that to our budget request. Data combined with evolving business needs and current threats should be weighed in conjunction to your budget requirements.

Tip 7: Justify spending needs based on current threats.

Implementing needed security improvements can be delayed or cancelled because of lack of investment. These delays slowly erode whatever benefits your security program would have provided. You can avoid security malaise by analyzing emerging threats often, maintaining regular contact with stakeholders, board members, and peer organizations; performing regular threat assessments and leveraging any available data to validate spending decisions.

The Truth Is

There is  no silver bullet solution for establishing an organization’s security budget. Company size, culture, products, assets, regulatory and compliance requirements all need to play a major role in decision making. With so many considerations it is a complicated and time-consuming process. Many business owners struggle to fully grasp the myriad risks they face. That’s why we’ve built a framework that teaches businesses how to anticipate and navigate risk before it becomes a crisis. Be sure to read Chesley Brown’s The Business Continuity and Crisis Management Handbook for our comprehensive list of tips and strategies for preparing for and navigating a crisis effectively.

Posted by:

Sign up!

For industry-leading guides and analysis sign up for our blog below.

  • This field is for validation purposes and should be left unchanged.

Latest News

Picture of a man (Director Ray Strobel) wearing a suit standing in front of a Chesley Brown Flag.

Introducing Ray Strobel: Director of the Waterfront

By Chesley Brown | April 10, 2024

We’re thrilled to announce the promotion of Ray Strobel to the role of Public Safety Director at the Waterfront in Pittsburgh’s Steel Valley! Ray brings with him a wealth of experience and a unique perspective from his extensive background in law enforcement and service to our country. We sat down with Ray for a fun interview to get to know him better and learn about his journey with Chesley Brown and beyond.

Read More

Employee Spotlight: Isabella Mazza

By Chesley Brown | January 3, 2024

We’re thrilled to introduce Isabella Mazza, the newest rockstar on our team at Chesley Brown International. Ready for some real talk and a sneak peek into Isabella’s world? Well, you’re in for a treat! Isabella…

Read More
how security enhances Commercial Property Values

The Economic Benefits of Private Security: Enhancing Commercial Property Values

By Chesley Brown | August 30, 2023

As the world becomes increasingly unpredictable, it’s no surprise that businesses are focused on protecting their assets. While public security initiatives have long been at the forefront of ensuring public safety, private security has emerged…

Read More
Maximizing security with a limited budget

Maximizing Security Without Breaking the Bank: Practical Tips for Organizations with Limited Budgets

By Chesley Brown | August 15, 2023

In today’s digital landscape, security threats are everywhere and no organization is immune to them. However, with limited budgets for security measures, organizations often face a tough challenge in ensuring that they remain protected against…

Read More
Electric vehicle charging station. Image is used to show EV fire hazards

The Hazards of EV Charging Stations

By Chesley Brown | July 26, 2023

Written by: Andy Marsh Fire and Life Safety Manager Chesley Brown International Technological advances have been the driving force behind the way we communicate, the way we work, and possibly even the way we get…

Read More
The 7 Step Guide for Building Business Continuity Plans that Work