How to Plan an Effective Cybersecurity Budget in 2024

If you’re reading this, it means you take cybersecurity as seriously as we do. The bad news is that cybercriminals are just as serious about defeating it. Last year alone, over eight billion data records were breached worldwide, according to IT Governance.

Naturally, organizations want powerful cybersecurity measures, but how do you plan a budget that covers all your cybersecurity needs yet doesn’t waste money? Where should you spend your resources, and which cyber risks should you focus on most?

This article shares practical tips for creating cybersecurity budgets to help you navigate evolving threats effectively.

Understanding the Cybersecurity Landscape in 2024

Cybersecurity budgets are growing in response to emerging threats as businesses finally realize that even one attack costs a fortune. According to Cybercrime Magazine, the global cost of cyberattacks will be about $10.5 trillion annually by 2025.

What’s worse, cyber threats constantly change, and your cybersecurity measures need to keep up. Here are some major industry disruptions from just this year:

• The rise of geopolitical turmoil and economic uncertainty. 71% of European chief information security officers worry about cyber warfare between nation-states.
• Rapid adoption of new artificial intelligence (AI) technologies. The UK’s National Cyber Security Center claims that AI will almost certainly increase the volume and impact of cyberattacks over the next two years.

• Data speed and increasing cloud infrastructure complexity. Managing a massive volume of data in multi-cloud environments and complicated operating technologies challenges risk assessment.

Simultaneously, organizations face security challenges that have persisted for years:

• Ransomware attacks. Ransomware payments in 2023 hit a record $1.1 billion.
• Social engineering. According to Firewall Times, 98% of cyberattacks involve some form of social engineering.
• Widespread data breaches. IBM has calculated that the average cost of a data breach was $4.45 million in 2023.
• Regulatory pressure. In addition to existing regulations like GDPR, HIPAA, PCI-DSS, and state policies like CCPA and CPRA, the most notable legislative and regulatory changes on the horizon include amendments to the US’s FTC Safeguards Rule, SEC proposals on digital engagement practices, and CFPB proposals on personal financial data rights.

In 2024, security professionals must respond to the combined impact of all these factors by adopting various practices, technological advances, and structural reforms. Thus, companies must include sufficient cybersecurity strategies and risk management plans in their IT budgets.

Assessing Your Organization's Cybersecurity Needs

Cybersecurity budgeting is a complex process that involves technology, operations, compliance, and comprehensive management. Organizations need a multidisciplinary approach, strong leadership, clear communication with stakeholders, and thorough preparation to address cybersecurity challenges effectively.

The first step in determining your budget is assessing your company’s needs and current cybersecurity posture based on the following factors.

Size and Complexity

Larger companies (10,000 or more employees) with extensive digital footprints and sensitive information need a cybersecurity budget allocation larger than a smaller organization would need.

However, smaller businesses often allocate more of their overall IT budget to security than larger firms. Every organization must allocate a baseline amount for information security, and which is similar regardless of firm size.

Tools Currently in Use

Organizations building an in-house security operations center (SOC) may have higher upfront costs compared to those investing in multiple or co-managed solutions. When introducing new technologies, make sure to align technology priorities with security capabilities and consider third-party risk management.

Employee Skills

Technological advances can't substitute for investing in talent to close cybersecurity skill gaps. However, hiring and retaining skilled personnel can be a challenge for cybersecurity budgets. We advise organizations to explore alternative solutions that balance investing in employee education with leveraging emerging technologies like AI to augment cybersecurity capabilities.

Risk Profile

Compliance with federal and state regulations and protecting sensitive data sets is critical. Industries with stringent regulatory requirements, such as finance and healthcare, may need to allocate more resources for compliance measures than other sectors. Additionally, companies must consider how attractive their data is to cybercriminals when determining cybersecurity budgets.

Now, let’s look at how industry-specific needs influence budget allocation.

Cybersecurity Budgets by Industry

Recent research indicates that businesses spend approximately 11% of their IT budgets on security. However, this percentage varies across industries, influenced by factors such as sector-specific data and technological and regulatory requirements.

You should analyze cybersecurity budget decisions across sectors to evaluate your company’s planned spending and consider opportunities for savings. Here are benchmarks showing the average cybersecurity spending as a percentage of the annual IT budget by industry:

• Technology: 13.3%
• Healthcare: 13.3%
• Business services 13.2%
• Consumer goods and Services: 9.7%
• Financial services: 9.6%
• Manufacturing: 6.1%
• Retail: 6.0%

For another perspective on cybersecurity spending across industries, here’s a report that shows the percentage of security executives who expect to increase their cybersecurity budget by mid-2024 compared to 2023:

• Business/professional services: 89%
• Healthcare: 85%
• Energy: 85%
• Entertainment: 89%

Note that all sectors listed anticipate similar spending increases.

How to Develop a Comprehensive Budget Strategy

A Statista report released in late 2023 states that 80% of business and technology executives worldwide anticipate an increase in their organization's cybersecurity budget for 2024. Gartner forecasts a 14.3% rise in global security and risk management spending, reflecting the need to address the expanding attack surface and turbulent global landscape.

However, the dilemma confronting many CISOs (chief information security officers) is optimizing cybersecurity defense with a tight budget. Meeting this challenge calls for hyper-focused, directed spending on initiatives that offer the greatest business value. Let’s examine how you can optimize your cybersecurity budget in specific spending categories.

Software Investment

When it comes to software tools, like antivirus software, firewalls, auditing systems, and backup solutions, you must consider upfront costs and ongoing expenditures. On average, an enterprise uses around 76 security tools: 21% of the cybersecurity budget might be spent on off-premises software and 9% on on-premises software, according to IANS.

The key is to tailor your budget to your company’s needs and avoid trendy yet unnecessary technologies. For example, complex intrusion detection systems designed for large enterprises would be overkill for small businesses, whereas basic consumer-grade security solutions would be inadequate for large enterprises.

Human Resource Allocation

Skilled cybersecurity professionals are in high demand. Personnel can eat up 38% of your cybersecurity budget. However, besides hiring knowledgeable specialists, businesses should leverage automated solutions. Investing strategically in automated technology frees cybersecurity teams to focus on high-value tasks, potentially boosting job satisfaction and staff retention.

A robust cybersecurity team typically includes the following roles:

• Security analyst(s)
• Security engineer(s)
• Security Operations Center (SOC) manager
• Chief Information Security Officer (CISO)

You can employ these experts or outsource these roles to a cybersecurity services provider.

Cybersecurity Outsourcing

Developing a thorough cybersecurity program involves vulnerability assessments, penetration testing, compliance checks, a security architecture review, and monitoring services. Many organizations outsource these services, and you can, too.

Hardware and infrastructure maintenance

A 2023 analysis by Forrester shed light on what US security managers consider the most cost-effective infrastructure elements to include in a cybersecurity budget:

• Cloud security spending is increasing, with 80% of IT security decision-makers planning an increase in the next 12 months. This is due, in part, to ongoing migration to the cloud and concerns about misconfigured workloads.
• Upgrading on-premises systems remains a priority, with 75% of IT security decision-makers planning to increase spending.
• Managers expect spending on managed security services to grow, including a shift to the cloud and emerging AI-powered initiatives.

Training Initiatives

The budgeting process should cover training programs to teach your teams about cybersecurity challenges and best practices for managing security. It’s vital to customize training content for different audiences, including staff, management, and consultants, and to test its impact regularly. Given the shortage of skilled resources in the market, investments in training can help you stay ahead of cybersecurity threats.

Compliance

Regulatory mandates involve compliance-related expenses. These include reporting, audit preparation, and potentially hiring a data protection officer (DPO).

Security Incident Preparation

Despite the reported increase in budget allocation, it's essential to remain prepared for any eventuality. Security incident costs include expenses for forensic investigations, legal proceedings, compliance penalties, and efforts in public relations and customer compensation.

How to Maximize Cybersecurity ROI

With economic uncertainty extending into 2024, some CISOs may face tighter budgets. If you’re one of them, you must know that cutting corners on cybersecurity carries significant risk, so companies should conduct a thorough evaluation of the ROI for security measures. They must seek to balance spending with risk-reduction outcomes.

Focus Cybersecurity Spending on Critical Assets

To tailor your cybersecurity strategy effectively, prioritize your organization's critical assets, like servers and privileged accounts. In a financial institution, for example, this may include the central banking system and accounts with administrative control over critical financial transactions. Organizations can mitigate risk and maintain client trust by protecting systems with customer financial data and prioritizing transaction integrity.

Suggested Strategic Investment Areas

Evaluate ongoing cybersecurity investments, resolve conflicts, and set priorities that balance cost and risk reduction. Use reputable cybersecurity budget strategy guides like that of Forrester, which recommends that companies focus on specific areas:

• API security to protect new business models and partnerships
• Multi-factor and passwordless authentication to reduce exposure to phishing attacks
• Zero trust network access (ZTNA) for secure remote access and fine-grained control over assets
• Extended detection and response (XDR) platforms for advanced threat detection capabilities to support security teams
• Security posture management (SPM) to monitor and protect critical cloud infrastructure and SaaS applications
• Consent management software solutions to ensure compliance with privacy regulations
• AI-generated synthetic data, if you’re ready to experiment with AI analytics and model training while maintaining data privacy and security

The bottom line is that security leaders should focus investment on security measures that protect the systems that interact with your customers and that generate revenue.

Automate Security Operations

Identify where you can automate processes to streamline workflows and reduce costs. Evaluate existing service level agreements (SLAs) to ensure they align with your cybersecurity requirements.

Begin by exploring the automation capabilities of your current IT solutions. Use tools and techniques such as:

• Security orchestration and automated response (SOAR) tools for automated cyberattack prevention
• Native IT asset management tools and cloud provider services, such as Microsoft's Secure Score or Google Cloud Platform's posture mapping

Manual management, validation, remediation, and tracking of security can be challenging and impractical, particularly when considering ROI.

Skip Tech Tools with Little ROI

Consolidate vendors and tools to eliminate redundancy and inefficiency. Ensure every tool demonstrates a clear ROI. The ROI might manifest as labor savings, threat mitigation, or operational impact.

Consider minimizing or avoiding investment in the following areas:

• Consider cloud migration and hybrid work models instead of on-premises security appliances.
• Eliminate low-value consulting engagements, such as redundant penetration tests and costly audit preparations.
• Reduce spending on standalone governance, risk, and compliance (GRC) tools with overlapping capabilities.
• Shift from less effective technology, like runtime application self-protection (RASP), to posture management or modern application protection solutions.

Essentially, you should assess the functionality of your standalone security controls and reduce overlap with other deployed platforms.

Implementing and Monitoring Your Budget Plan

Flexibility and adaptability in cybersecurity budget planning allow organizations to respond quickly to emerging threats and evolving business objectives. Organizations should establish clear protocols for budget execution and business processes, including regular reviews and updates to account for changing threats and priorities. Let’s explore them with practical guidance.

How to Monitor Spending

To track cybersecurity spending and measure the impact of your initiatives, you should:

• Conduct a cost-benefit analysis for each cybersecurity initiative.
• Define and track KPIs directly linked to the objectives of each cybersecurity initiative.
• Measure the impact of cybersecurity initiatives on incident response metrics, such as the time to contain security breaches or the extent of damage they cause.
• Gather feedback from employees and customers to assess their satisfaction with cybersecurity measures.
• Use quantitative analyses, such as a net present value (NPV) analysis, to quantify the financial benefits of cybersecurity initiatives.

Based on these measurements and analyses, adjust your budget as needed throughout the fiscal year.

Use a Governance, Risk, and Compliance (GRC) Framework

Develop a comprehensive GRC framework to manage cyber risk and ensure compliance with industry standards throughout the fiscal year. To accomplish this, implement the following steps:

• Use an authoritative cybersecurity framework, such as that of the US National Institute of Standards and Technology (NIST) or the International Organization for Standardization (ISO), to ensure transparency, accuracy, and precision in cybersecurity practices.
• Imitate threats by implementing testing based on frameworks like the MITRE Corporation's Adversarial Tactics Techniques & Common Knowledge (ATT&CK) framework. This ensures that protections are effective and work as intended, by recognized standards.

As you develop a comprehensive GRC framework to manage risk, you must also prepare for unforeseen cyber challenges.

Expect Unexpected Expenses

In 2024, cybersecurity continues a shift from a mere technological concern to a critical business issue thanks to global conflicts, major elections (including that of the White House), looming terrorist threats, and other developments. In response, organizations must adapt and strengthen cybersecurity strategies to effectively navigate these challenges:

• Prepare for the unexpected by maintaining a security budget buffer and fostering a mindset of cyber resilience.
• Consider cyber insurance, which 71% of global leaders purchase to protect against financial losses.
• Treat cybersecurity as an ongoing process. Invest in continual security testing and improvement, incident response planning, and comprehensive training.

By integrating these considerations and approaches, you can make informed cybersecurity investment decisions, manage risk effectively, and maximize the impact of your spending.

Conclusion

The escalating incidents of data breaches and cyberattacks globally underscore the critical need for robust cybersecurity measures in all industries. Organizations can optimize security investment strategies by aligning spending with risk tolerance, prioritizing project portfolios, auditing tech tools, and integrating governance. Treating cybersecurity as an ongoing process strengthens resilience against evolving threats.

Try integrating these strategies to effectively manage risk and maximize the impact of your cybersecurity budget.

FAQ

1. What is the average budget for cybersecurity in 2024?

   Recent research suggests that businesses allocate approximately 11% of their IT budgets to security expenditures. However, this varies depending on factors like the size and complexity of an organization and the business’s specific cybersecurity needs. The percentage also varies across sectors: Technology – 13.3%, Healthcare – 13.3%, Business services – 13.2%, Consumer goods and Services – 9.7%, Financial services – 9.6%, Manufacturing – 6.1%, Retail – 6.0%.

2. Are cybersecurity budgets increasing?

   Yes. A report released in late 2023 found that 80% of business and technology executives surveyed worldwide anticipated increasing their organization's cybersecurity budget for 2024. Additionally, Gartner forecasts a 14.3% rise in global spending on security and risk management.