7 Tips the Pros Won’t Tell You About Budgeting For Risk

Every business must create its own process for identifying, testing, and budgeting for risk. We studied the data and talked to several industry-leading CSOs to find out how they do it.

How much should your company spend on security? The simple answer: It depends. Whether we’re talking physical security, cybersecurity, or risk mitigation practices, every company will have different requirements. Like a fingerprint, each business is unique. There are often hundreds of factors, both internal and external, to consider. Things like a business’s industry-type, the sorts of proprietary or sensitive assets it manages, the regulatory necessities it faces, the complexity of its IT infrastructure, the chance of it being a target for attacks (target value), and other factors will play a key role in an organization’s decision making.

A more useful question might be: How will your organization determine what your security budget should be? Determining the right level of security spending is essential to appropriately responding to a threat

Many factors drive security spending

Recent research provides some context in terms of how much companies are spending on protection. According to a 2019 survey that asked executives worldwide what percentage of their company’s total budget was represented by security; the average response was 15%. Nearly one quarter of the organizations (23%) devoted 20% or more of their budget to security.

Company size does not not seem like a major factor. Small businesses, on average, spend an equal percentage on security as larger enterprises. Regarding industries, the sectors devoting the highest percentage of budget to security are professional services, financial services, and technology.

When asked to name the top investment needs at their company, 40% of IT executives listed cybersecurity, tied with accelerating operational efficiency. The remaining 20% divided out among improving consumer experience, business development, transforming existing business processes, and improving profitability.

Another survey of security experts worldwide, shows that nearly two-thirds of enterprises (60%) plan to increase security budgets in the next year by an average of 13%. Among the factors that determined distribution of security spending were best practices (74%), compliance mandates (69%), responding to a security incident that happened to the organization (35%), mandates from the board of directors (33%), and responding to a security incident that occurred at another organization (29%).

That being said, here are 7 tips for determining a security budget:

Tip 1: Emulate how security companies budget safety

At Chesley Brown, we provide risk mitigation and full spectrum security services.

“Budget priorities are determined by trends and data. Trends to assure that best practices are in place and that your property doesn’t fall below comparable standards. Data can tell us a lot. By analyzing the data it allows us to show gaps and aid with educated predictions,” says Brent Brown Chairman and CEO of Chesley Brown Companies. “Data alone doesn’t tell the whole story. Analyze it with context in mind — beyond just the ‘fence line’ of a property.”

Tip 2: Prioritize improving operational efficiencies to keep costs down

“Better planning, preparation and the storage of essentials are several trends we’ve seen with the coronavirus outbreak” says Brown. “Technology that has been available for the last several years will no longer have to prove its place in a security management plan, especially when you weigh the efficiencies gained by leveraging these technologies. We do everything in our power to keep things cost-neutral over time, but like most organizations, we’re being called on to cover a broader and wider variety of threats today. The fact is, we must realize operational efficiencies if we want to stay ahead. Were it not for the improved efficiencies we’ve gained through technology, spending would be up year over year,” he says.

Tip 3: Use a controls framework to define policy and needs.

To help decide how the organization should spend on safety, Chesley Brown recommends using a controls framework to outline the technical, administrative and physical policies, techniques and equipment you want to put into service.

“The need for security is indisputable, in fact, in times of economic unrest the need increases,” Brown says. “The challenge, however, is if the business(es) we protect are economically harmed then what can they sustain? How fast will our clients return to prosperity and what are the new cost factors not previously considered? Some of those items are Personal Protective Equipment (PPE), hazard pay, sick leave for extended periods.”

By using a controls framework, you can speed up decision making, leverage existing know-how, generate maximum impact while still reducing risk across the organization.

Tip 4: Identify the point of diminishing returns.

To determine the ideal level of spending, companies need to know at what point additional expenses yield a marginal return regarding risk reduction. Some safety expenses are predetermined. Few companies have the luxury of identifying what to spend based solely on personal choice. Most businesses face regulatory necessities, customer expectations, or partner needs that dictate additional spending.

“Since security is the one entity that must remain in place, new spending might include additional costs to keep properties running,” Brown says. “Without question, the biggest change will be those that never had a crisis management/continuity plan (or haven’t updated theirs for a while) quickly realizing the need to have one. These plans will also need to include a new chapter.”

Remember, some companies might place a higher premium on security and privacy than others, possibly even choosing this as a strategy of differentiation from competitors. You should discuss this with your stakeholders ahead of time to establish clear objectives.

Tip 5: Perform regular risk assessments.

Performing regular risk assessments as part of your routine security regime can help you answer the question of how much to spend.

“If the threat doesn’t change, then additional spending is unlikely to yield better results,” Brown says. “If we realize certain areas need better coverage, then we prioritize that. What’s important is to never become complacent. It’s all about making the best decisions using objective information.”

Tip 6: Create a framework to measure security maturity.

It is very difficult to determine how much money is enough, and what the right level of expenditure needs to be. Chesley Brown has adopted a framework, the Chesley Brown Risk Mitigation Framework, to measure security effectiveness, maturity, and efficiency. This ongoing evaluation is used to justify additional investment as needed and put in place additional controls and sub-controls. If investment is preventing you from fully imposing sub-controls, then you should add that to our budget request. Data combined with evolving business needs and current threats should be weighed in conjunction to your budget requirements.

Tip 7: Justify spending needs based on current threats.

Implementing needed security improvements can be delayed or cancelled because of lack of investment. These delays slowly erode whatever benefits your security program would have provided. You can avoid security malaise by analyzing emerging threats often, maintaining regular contact with stakeholders, board members, and peer organizations; performing regular threat assessments and leveraging any available data to validate spending decisions.

The Truth Is

There is  no silver bullet solution for establishing an organization’s security budget. Company size, culture, products, assets, regulatory and compliance requirements all need to play a major role in decision making. With so many considerations it is a complicated and time-consuming process. Many business owners struggle to fully grasp the myriad risks they face. That’s why we’ve built a framework that teaches businesses how to anticipate and navigate risk before it becomes a crisis. Be sure to read Chesley Brown’s The Business Continuity and Crisis Management Handbook for our comprehensive list of tips and strategies for preparing for and navigating a crisis effectively.

Sign up!

For industry-leading guides and analysis sign up for our blog below.

  • This field is for validation purposes and should be left unchanged.

Latest News

6 new business risks crom Coronavirus

6 New Risks for Businesses post COVID-19

By Chesley Brown | May 5, 2020

Coronavirus: 6 New Business Risks Your risk management strategy can and should play an important role in managing your business’s response to the coronavirus outbreak. By implementing the right risk management strategies for coronavirus, your…

Read More
Crisis Management Process Framework diagram

5 Tips for Creating Better Crisis Management Plans

By Chesley Brown | April 29, 2020

Like a lot of people, you may be wondering what comes next for your business or organization following the Coronavirus outbreak (or any other crisis for that matter). Well, you’ve come to the right place.…

Read More

FREE DOWNLOAD Securing a New World: Security, COVID-19, and Boots on the Ground

By Chesley Brown | March 16, 2020

There can be no argument that technology has infiltrated virtually every aspect of daily life for the vast majority of people and businesses across the world. Technology is woven into the social fabric of everyday life. It monitors our movements, our interests, our purchasing power, our locations, habits, our risk to insurers, our body chemistry, and health. Our images are captured overtly and unknowingly 1000’s of times daily. It captures the best of us in amazing acts of heroism and human interaction, and it captures the worst of us; for accountability and delivery of justice.

Read More

When it Comes to Corporate Espionage, Harvard’s Dr. Lieber is Just the Tip of the Iceberg

By Chesley Brown | February 5, 2020

When it Comes to Espionage Harvard’s Dr. Lieber is Just the Tip of the Iceberg From Chesley Brown International By Dell Spry Renowned Harvard Professor Arrested for Lying About Connection to China. Feb 5th, 2020…

Read More

Chesley Brown Launches Initiative to Fight Human Trafficking

By Chesley Brown | January 13, 2020

Chesley Brown Launches New Initiative to Fight Human Trafficking From The Chesley Brown Group Risk Management [dpArticleShare] Chesley Brown, the security management experts, announced today a new training initiative to provide support to victims, families,…

Read More
The 7 Step Guide for Building Business Continuity Plans that Work