According to IDC’s Worldwide Semiannual Security Spending Guide, global spending on security-related hardware, software, and services is forecast to reach US$103.1 billion in 2019, up 9.4% over 2018. Is that a good sign? Perhaps better than nothing?
The Cybersecurity Ventures report, 2019 Official Annual Cybercrime Report, predicts that cybercrime will cost the world in excess of US$6 trillion annually by 2021, up from US$3 trillion in 2015.
“This dramatic rise (in damage costs) only reinforces the sharp increase in the number of organizations unprepared for a cyberattack,” says Robert Herjavec, Founder and CEO of Herjavec Group.
It appears that a deep chasm exists between what organisations are willing to spend on security and what it will cost their business. How much should an organisation spend on security and cybersecurity?
Boston Consulting Group (BCG) compiled average cybersecurity spending – see Figure 1 – to reveal a lack of standard benchmark.
Figure 1: Comparison of average security spending benchmarks
Source: Are You Spending Enough on CyberSecurity?, BCG
Some of the largest banks spend over half a billion dollars on security. JPMorgan Chase CEO and Chairman Jamie Dimon revealed that the bank spends about US$600 million annually on security employing around 3,000 people on cybersecurity.
In reality, should there be a benchmark figure?
Ira Winkler, president, Secure Mentem, says given that the Chief Finance Officer is responsible for mitigating financial losses, they should have oversight into security-related efforts.
In an exclusive with FutureCFO, he offers a convincing argument on who is accountable for the security position of a business – HINT: CFO.
Given this responsibility, he suggests that the CFO confront the Chief Information Security Officer (CISO) or Chief Security Officer (CSO) and instruct the security head to declare a budget that will enable the security to do its job.
“When you are responsible for mitigating loss you have to base your countermeasures on the potential loss – not on what you're investing in technology,” he countered.
In describing the security-budget thought process, he suggests that the CFO not focus on how much technology is being invested upon but rather what is the potential loss to the business that the company is trying to avoid.
“Let's say a bank might have an IT budget of a hundred million dollars. The CFO of the bank has to say am I protecting the hundred million dollars’ worth of computers or am I protecting the billions of dollars that go through our computers on a daily basis?” he suggested.
He goes on to say that in an event of a breach or attack, the lost to the bank will not be the hundred million dollars of computers but the billions of dollars lost for each day the computer systems are down.
“The CFO has to stand there and say I'm a risk professional. I need to make sure that that chief information security officer is budgeting not his portion of hundred million dollars of technology budget but rather protecting the billions of dollars a day going through the computers,” concluded Winkler.
CFOs should watch the video to appreciate the enormity of the problem and the simplicity of the approach to dealing with the CISO/CSO.