7 Tips the Pros Won’t Tell You About Budgeting For Risk

Every business must create its own process for identifying, testing, and budgeting for risk. We studied the data and talked to several industry-leading CSOs to find out how they do it.

How much should your company spend on security? The simple answer: It depends. Whether we’re talking physical security, cybersecurity, or risk mitigation practices, every company will have different requirements. Like a fingerprint, each business is unique. There are often hundreds of factors, both internal and external, to consider. Things like a business’s industry-type, the sorts of proprietary or sensitive assets it manages, the regulatory necessities it faces, the complexity of its IT infrastructure, the chance of it being a target for attacks (target value), and other factors will play a key role in an organization’s decision making.

A more useful question might be: How will your organization determine what your security budget should be? Determining the right level of security spending is essential to appropriately responding to a threat

Many factors drive security spending

Recent research provides some context in terms of how much companies are spending on protection. According to a 2019 survey that asked executives worldwide what percentage of their company’s total budget was represented by security; the average response was 15%. Nearly one quarter of the organizations (23%) devoted 20% or more of their budget to security.

Company size does not not seem like a major factor. Small businesses, on average, spend an equal percentage on security as larger enterprises. Regarding industries, the sectors devoting the highest percentage of budget to security are professional services, financial services, and technology.

When asked to name the top investment needs at their company, 40% of IT executives listed cybersecurity, tied with accelerating operational efficiency. The remaining 20% divided out among improving consumer experience, business development, transforming existing business processes, and improving profitability.

Another survey of security experts worldwide, shows that nearly two-thirds of enterprises (60%) plan to increase security budgets in the next year by an average of 13%. Among the factors that determined distribution of security spending were best practices (74%), compliance mandates (69%), responding to a security incident that happened to the organization (35%), mandates from the board of directors (33%), and responding to a security incident that occurred at another organization (29%).

That being said, here are 7 tips for determining a security budget:

Tip 1: Emulate how security companies budget safety

At Chesley Brown, we provide risk mitigation and full spectrum security services.

“Budget priorities are determined by trends and data. Trends to assure that best practices are in place and that your property doesn’t fall below comparable standards. Data can tell us a lot. By analyzing the data it allows us to show gaps and aid with educated predictions,” says Brent Brown Chairman and CEO of Chesley Brown Companies. “Data alone doesn’t tell the whole story. Analyze it with context in mind — beyond just the ‘fence line’ of a property.”

Tip 2: Prioritize improving operational efficiencies to keep costs down

“Better planning, preparation and the storage of essentials are several trends we’ve seen with the coronavirus outbreak” says Brown. “Technology that has been available for the last several years will no longer have to prove its place in a security management plan, especially when you weigh the efficiencies gained by leveraging these technologies. We do everything in our power to keep things cost-neutral over time, but like most organizations, we’re being called on to cover a broader and wider variety of threats today. The fact is, we must realize operational efficiencies if we want to stay ahead. Were it not for the improved efficiencies we’ve gained through technology, spending would be up year over year,” he says.

Tip 3: Use a controls framework to define policy and needs.

To help decide how the organization should spend on safety, Chesley Brown recommends using a controls framework to outline the technical, administrative and physical policies, techniques and equipment you want to put into service.

“The need for security is indisputable, in fact, in times of economic unrest the need increases,” Brown says. “The challenge, however, is if the business(es) we protect are economically harmed then what can they sustain? How fast will our clients return to prosperity and what are the new cost factors not previously considered? Some of those items are Personal Protective Equipment (PPE), hazard pay, sick leave for extended periods.”

By using a controls framework, you can speed up decision making, leverage existing know-how, generate maximum impact while still reducing risk across the organization.

Tip 4: Identify the point of diminishing returns.

To determine the ideal level of spending, companies need to know at what point additional expenses yield a marginal return regarding risk reduction. Some safety expenses are predetermined. Few companies have the luxury of identifying what to spend based solely on personal choice. Most businesses face regulatory necessities, customer expectations, or partner needs that dictate additional spending.

“Since security is the one entity that must remain in place, new spending might include additional costs to keep properties running,” Brown says. “Without question, the biggest change will be those that never had a crisis management/continuity plan (or haven’t updated theirs for a while) quickly realizing the need to have one. These plans will also need to include a new chapter.”

Remember, some companies might place a higher premium on security and privacy than others, possibly even choosing this as a strategy of differentiation from competitors. You should discuss this with your stakeholders ahead of time to establish clear objectives.

Tip 5: Perform regular risk assessments.

Performing regular risk assessments as part of your routine security regime can help you answer the question of how much to spend.

“If the threat doesn’t change, then additional spending is unlikely to yield better results,” Brown says. “If we realize certain areas need better coverage, then we prioritize that. What’s important is to never become complacent. It’s all about making the best decisions using objective information.”

Tip 6: Create a framework to measure security maturity.

It is very difficult to determine how much money is enough, and what the right level of expenditure needs to be. Chesley Brown has adopted a framework, the Chesley Brown Risk Mitigation Framework, to measure security effectiveness, maturity, and efficiency. This ongoing evaluation is used to justify additional investment as needed and put in place additional controls and sub-controls. If investment is preventing you from fully imposing sub-controls, then you should add that to our budget request. Data combined with evolving business needs and current threats should be weighed in conjunction to your budget requirements.

Tip 7: Justify spending needs based on current threats.

Implementing needed security improvements can be delayed or cancelled because of lack of investment. These delays slowly erode whatever benefits your security program would have provided. You can avoid security malaise by analyzing emerging threats often, maintaining regular contact with stakeholders, board members, and peer organizations; performing regular threat assessments and leveraging any available data to validate spending decisions.

The Truth Is

There is  no silver bullet solution for establishing an organization’s security budget. Company size, culture, products, assets, regulatory and compliance requirements all need to play a major role in decision making. With so many considerations it is a complicated and time-consuming process. Many business owners struggle to fully grasp the myriad risks they face. That’s why we’ve built a framework that teaches businesses how to anticipate and navigate risk before it becomes a crisis. Be sure to read Chesley Brown’s The Business Continuity and Crisis Management Handbook for our comprehensive list of tips and strategies for preparing for and navigating a crisis effectively.

Sign up!

For industry-leading guides and analysis sign up for our blog below.

  • This field is for validation purposes and should be left unchanged.

Latest News

Podcast | Risk Takers Series #1 The Aldrich Ames Espionage Case

By Chesley Brown | June 26, 2020

Dell Spry, a former FBI investigator and counterespionage expert, sits down to discuss the biggest case of insider theft in U.S. History: The Aldrich Ames Case. Hear how he, along with the help of the…

Read More

risk-takers #1 The Aldrich Ames Espionage Case

By Chesley Brown | June 26, 2020

Dell Spry, a former FBI investigator and counterespionage expert, sits down to discuss the biggest case of insider theft in U.S. History: The Aldrich Ames Case. Hear how he, along with the help of the CIA, and the fellow FBI agents used their cunning, hard work, and old fashioned investigative work to capture and convict most infamous CIA officer-turned traitor: Aldrich Hazan “Rick” Ames. Beginning in 1985 the CIA experienced the unparalleled loss of its of Soviet assets, which nearly destroyed the government’s ability to gather intelligence on the Soviet Union. In this interview Mr. Spry discusses his personal involvement in the case as the FBI’s lead investigator including many of the investigative methods they used. Hear never before details about the harrowing investigation to not only investigate and convict the highest ranking government official ever accused of spying, but to protect future Russian assets. In 1991, the quest led them to search for a Soviet spy in the CIA. They came to identify that spy as CIA Case Officer, Aldrich Hazan “Rick” Ames, a long-time CIA case officer and analyst. In February of 1994, Ames was arrested by the FBI and sentenced to life in prison.

Read More
hand stopping dominos from falling, represent a crisis being prevents or stopped

10 Steps for Building a Crisis Management Communication Strategy

By Chesley Brown | June 23, 2020

Small changes have a big impact. As a public health crisis of worldwide proportions comes into focus, it is imperative for individuals, organizations, and nations to develop effective resilience strategies, including communications and outreach as…

Read More
Two people riding a moving sidewalk into a bright white void to represent transformation

The Future of Work

By Chesley Brown | May 21, 2020

The Future of Work: Protecting Trade Secrets Written by: Dell Spry Many businesses, both large and small, are desperately seeking ways to keep their companies operational with all of  the closures and uncertainties associated with…

Read More
Graphic of two people Looking at charts and graphs representing a risk assessment

Managing Risk During a Pandemic

By Chesley Brown | May 12, 2020

5 Tips for Conducting Better Risk Assessments for a Pandemic In earlier sections, we discussed the need for a risk-based approach and outlined 6 New Business Risks to consider when preparing your business for coronavirus.…

Read More
The 7 Step Guide for Building Business Continuity Plans that Work