7 Tips the Pros Won’t Tell You About Budgeting For Risk

Every business must create its own process for identifying, testing, and budgeting for risk. We studied the data and talked to several industry-leading CSOs to find out how they do it.

How much should your company spend on security? The simple answer: It depends. Whether we’re talking physical security, cybersecurity, or risk mitigation practices, every company will have different requirements. Like a fingerprint, each business is unique. There are often hundreds of factors, both internal and external, to consider. Things like a business’s industry-type, the sorts of proprietary or sensitive assets it manages, the regulatory necessities it faces, the complexity of its IT infrastructure, the chance of it being a target for attacks (target value), and other factors will play a key role in an organization’s decision making.

A more useful question might be: How will your organization determine what your security budget should be? Determining the right level of security spending is essential to appropriately responding to a threat

Many factors drive security spending

Recent research provides some context in terms of how much companies are spending on protection. According to a 2019 survey that asked executives worldwide what percentage of their company’s total budget was represented by security; the average response was 15%. Nearly one quarter of the organizations (23%) devoted 20% or more of their budget to security.

Company size does not not seem like a major factor. Small businesses, on average, spend an equal percentage on security as larger enterprises. Regarding industries, the sectors devoting the highest percentage of budget to security are professional services, financial services, and technology.

When asked to name the top investment needs at their company, 40% of IT executives listed cybersecurity, tied with accelerating operational efficiency. The remaining 20% divided out among improving consumer experience, business development, transforming existing business processes, and improving profitability.

Another survey of security experts worldwide, shows that nearly two-thirds of enterprises (60%) plan to increase security budgets in the next year by an average of 13%. Among the factors that determined distribution of security spending were best practices (74%), compliance mandates (69%), responding to a security incident that happened to the organization (35%), mandates from the board of directors (33%), and responding to a security incident that occurred at another organization (29%).

That being said, here are 7 tips for determining a security budget:

Tip 1: Emulate how security companies budget safety

At Chesley Brown, we provide risk mitigation and full spectrum security services.

“Budget priorities are determined by trends and data. Trends to assure that best practices are in place and that your property doesn’t fall below comparable standards. Data can tell us a lot. By analyzing the data it allows us to show gaps and aid with educated predictions,” says Brent Brown Chairman and CEO of Chesley Brown Companies. “Data alone doesn’t tell the whole story. Analyze it with context in mind — beyond just the ‘fence line’ of a property.”

Tip 2: Prioritize improving operational efficiencies to keep costs down

“Better planning, preparation and the storage of essentials are several trends we’ve seen with the coronavirus outbreak” says Brown. “Technology that has been available for the last several years will no longer have to prove its place in a security management plan, especially when you weigh the efficiencies gained by leveraging these technologies. We do everything in our power to keep things cost-neutral over time, but like most organizations, we’re being called on to cover a broader and wider variety of threats today. The fact is, we must realize operational efficiencies if we want to stay ahead. Were it not for the improved efficiencies we’ve gained through technology, spending would be up year over year,” he says.

Tip 3: Use a controls framework to define policy and needs.

To help decide how the organization should spend on safety, Chesley Brown recommends using a controls framework to outline the technical, administrative and physical policies, techniques and equipment you want to put into service.

“The need for security is indisputable, in fact, in times of economic unrest the need increases,” Brown says. “The challenge, however, is if the business(es) we protect are economically harmed then what can they sustain? How fast will our clients return to prosperity and what are the new cost factors not previously considered? Some of those items are Personal Protective Equipment (PPE), hazard pay, sick leave for extended periods.”

By using a controls framework, you can speed up decision making, leverage existing know-how, generate maximum impact while still reducing risk across the organization.

Tip 4: Identify the point of diminishing returns.

To determine the ideal level of spending, companies need to know at what point additional expenses yield a marginal return regarding risk reduction. Some safety expenses are predetermined. Few companies have the luxury of identifying what to spend based solely on personal choice. Most businesses face regulatory necessities, customer expectations, or partner needs that dictate additional spending.

“Since security is the one entity that must remain in place, new spending might include additional costs to keep properties running,” Brown says. “Without question, the biggest change will be those that never had a crisis management/continuity plan (or haven’t updated theirs for a while) quickly realizing the need to have one. These plans will also need to include a new chapter.”

Remember, some companies might place a higher premium on security and privacy than others, possibly even choosing this as a strategy of differentiation from competitors. You should discuss this with your stakeholders ahead of time to establish clear objectives.

Tip 5: Perform regular risk assessments.

Performing regular risk assessments as part of your routine security regime can help you answer the question of how much to spend.

“If the threat doesn’t change, then additional spending is unlikely to yield better results,” Brown says. “If we realize certain areas need better coverage, then we prioritize that. What’s important is to never become complacent. It’s all about making the best decisions using objective information.”

Tip 6: Create a framework to measure security maturity.

It is very difficult to determine how much money is enough, and what the right level of expenditure needs to be. Chesley Brown has adopted a framework, the Chesley Brown Risk Mitigation Framework, to measure security effectiveness, maturity, and efficiency. This ongoing evaluation is used to justify additional investment as needed and put in place additional controls and sub-controls. If investment is preventing you from fully imposing sub-controls, then you should add that to our budget request. Data combined with evolving business needs and current threats should be weighed in conjunction to your budget requirements.

Tip 7: Justify spending needs based on current threats.

Implementing needed security improvements can be delayed or cancelled because of lack of investment. These delays slowly erode whatever benefits your security program would have provided. You can avoid security malaise by analyzing emerging threats often, maintaining regular contact with stakeholders, board members, and peer organizations; performing regular threat assessments and leveraging any available data to validate spending decisions.

The Truth Is

There is  no silver bullet solution for establishing an organization’s security budget. Company size, culture, products, assets, regulatory and compliance requirements all need to play a major role in decision making. With so many considerations it is a complicated and time-consuming process. Many business owners struggle to fully grasp the myriad risks they face. That’s why we’ve built a framework that teaches businesses how to anticipate and navigate risk before it becomes a crisis. Be sure to read Chesley Brown’s The Business Continuity and Crisis Management Handbook for our comprehensive list of tips and strategies for preparing for and navigating a crisis effectively.

Posted by:

Sign up!

For industry-leading guides and analysis sign up for our blog below.

  • This field is for validation purposes and should be left unchanged.

Latest News

brand protection Services helps brands protect their intellectual property

Brand Protection: How Businesses Can Identify and Stop Intellectual Property Theft

By Chesley Brown | October 12, 2022

Adam Shipley was furious. He spent years building up his company’s brand of elite fishing gear, and now someone was selling counterfeits — even using lookalike packaging — through a half-dozen online marketplaces. At half…

Read More
Dell Spry being promoted to Vice President Emeritus

Dell Spry Promoted to Vice President Emeritus

By Chesley Brown | September 22, 2022

Dell Spry is an attorney by education a investigator by passion. He has been in law enforcement for over 30 years. In that time he served in the FBI as a Supervisory Special Agent and…

Read More
Construction worker and business man in suit shake hands after an in-depth asset search

Why your business may need an asset search

By Chesley Brown | September 20, 2022

Written By: James Hart Linda Daly didn’t know exactly what was wrong, but something was off about her latest business deal.  A month earlier, Daly – the owner of a midsize retail chain in the…

Read More
How to Secure Intellectual Property - featuring a picture of a woman scientist in a lab

How to Secure Intellectual Property and Trade Secrets

By Chesley Brown | August 30, 2022

Anything that has value is at risk of being stolen, and unfortunately, that includes your company’s ideas and information. After all, intellectual property generates tremendous value in today’s economy. In 2019, American industries that rely…

Read More
a consultant discusses How to Respond to a Whistleblower’s Report

How to Respond to a Whistleblower’s Report

By Chesley Brown | August 18, 2022

In theory, it should be a good thing when employees come forward with a whistleblower report.  They’ve spotted a threat to your organization and are giving you the insight you need to address the problem…

Read More
The 7 Step Guide for Building Business Continuity Plans that Work