How high should my IT security budget actually be?

In recent years, spending on IT security has increased dramatically. Global digitization, the Internet of Things and, last but not least, the high proportion of employees who switched to home offices during the Corona pandemic make an investment in IT security indispensable. But do you actually know how high an IT security budget needs to be to ensure comprehensive security for your company? Which parameters drive up the costs for IT security, where can you possibly save and optimize? In this article, you will learn which risks you should not ignore under any circumstances when determining your IT security budget.

IT security as a new focus for budgeting

An interesting study conducted in 2019 by Bitkom Research and Tata Consulting Services shows that a significant proportion of all companies want to expand their investments in IT security in the near future. Whereby "want" is possibly the wrong word - because if you consider the increasingly frequent cyber attacks and the associated dangers, the investment in IT security is rather a must. Preventive defense against cyber threats is generally more cost-effective than repairing damage after an attack. Nevertheless, experts take a critical view of the budget shift. After all, the more money companies put into IT security, the less financial leeway they have left for investing in further digitization - and thus future viability. So how do you reconcile both requirements - security on the one hand and future viability on the other?

Are you setting the IT security budget - conventional or more risk-averse?

For every decision that affects your future, you can take precisely two paths. Either you make your decision based on experience - in which case you belong to the group of people who prefer to make conventional decisions. Or you belong to the group of analysts who take a close look at a situation and estimate how likely it is that this situation will change in the future. Estimating is always risky - so in this case, you would belong to the risk-based decision-makers. The same assumptions are used to determine the IT security budget.

If you choose the conventional way of IT security budgeting, then

• your planning is based on experience - for example, cyberattacks that have already occurred - or
• or you respond directly to current threat situations with the budget to be allocated
• quickly get the essential tools you need
• leave the amount of the budget unchanged for a more extended period of time
• do not set strategic goals
• invest in security only when it is urgent and unavoidable

Conventional budgeting is undoubtedly applicable. However, this is only the case until unexpected, new requirements come your way. Especially with increasing digitization, new points of need can arise, for example, for a new ERP or even another company presence. It can happen very quickly that the firmly planned IT security budget is needed elsewhere and thus reallocated. This type of planning can be very economical for companies that operate a sophisticated risk management system.

On the other hand, conventional budgeting for IT security can also be expensive! Because if an unplanned event occurs, such as a significant cyberattack, it must be resolved without delay. This then drives up the costs for IT security drastically and is unplanned.

If, on the other hand, you choose the risk-based approach when determining the IT security budget, then

• evaluate potential risks according to their direct impact on the business
• sort the risks according to their relevance and impact
• Create a risk assessment that puts the probability of an event occurring about the costs incurred by the event.

Risk management is instrumental in IT - but only if experts accompany, develop and optimize the decision-making process around IT security measures to be used in the future.

What costs should not be neglected when budgeting for IT security?

No company can permanently protect itself against all possible types of threats. So the trick now is to prioritize items in your IT security budget. When it comes to investing in IT security, some cost drivers tend to be overlooked. These include personnel costs (especially in a market as depleted as cybersecurity) and underestimated costs for replacing equipment, assets, and systems after a cyberattack. In any case, it is recommended to plan a reserve for external service providers when investing in IT security. Even if a consultant or cybersecurity professional is already working for your company, second or third opinions may be needed in the spirit of 360° security.

Experience has shown that the following items can derail budget planning:

• Incident Response Costs.

In many budget plans, the indirect costs that arise in the event of a necessary response to a cyber attack are not planned in advance. All too often, smaller companies in particular fail to set up packages of measures to respond to cyberattacks. In the event of damage, incidents drag on without incident response strategies.

• Underestimated recovery costs.

After a successful cyberattack, replacing components or systems is sometimes unavoidable. Replacement of compromised IT infrastructure is included in budget planning - but this is limited to the cost of replacing the most vulnerable components or systems. This "driving by sight" usually goes wrong. Because the financial damage after a cyber attack is usually significantly higher than previously forecast.

• Costs for qualified personnel.

A glance at the usual job exchanges makes it clear that supply and demand have long been out of sync, especially in the area of IT experts. More and more IT jobs require personnel - and fewer and fewer IT specialists are available on the open market. Companies are therefore well advised not to underestimate the costs of hiring future IT professionals. Especially in the field of highly specialized IT security, qualified specialists are more or less free to choose their employer and their salary - if you want to keep up in the "war on talent", you should include the corresponding costs in your budgeting.

• External consultants or cyber defense specialists.

External IT security companies are an effective means of relieving the burden on the company's own IT security and at the same time generating the most comprehensive security possible. Many companies already rely on this support. However, it is advisable that budget planning also includes possible costs for additional service providers - true to the motto "four eyes see more than two".

Which investment in IT security is worthwhile with a view to the future?

Looking ahead to the next few years, we can expect to see a further increase in data integration, which will necessitate adapted, and in some cases new, measures in the area of IT security. The focus of digitization is Industry 4.0 - and with it challenges such as cloud services, SaaS (Software as a Service) or networked end devices and machines that pose a challenge to IT security. Accordingly, the IT security budget should not only focus on the current cyber threats, but also on the threats of the near future.

The vast majority of companies in Germany have already internalized that investing in IT security is necessary and important. Cyber threats are becoming an ever greater danger to a company's ability to do business, not only quantitatively but also qualitatively. Espionage, sabotage, data theft: If you don't have a suitable concept for your cyber defense in your pocket, you will quickly be faced with a mountain of costs. It is therefore all the more important to set the IT security budget prudently and tailored to the respective company.