Governance Risk & Compliance (GRC)

According to a study released by Deloitte (FS-ISAC/Deloitte Cyber & Strategic Risk Services CISO Survey Reports; 2019 and 2020; Deloitte Center for Financial Services analysis), the average company will spend somewhere between 6% and 14% of their annual IT budget on cybersecurity. Moreover, according to Deloitte, the average annual security spending per employee increased from $2,337 in 2019 to $2,691 in 2020. 50% of large enterprises (with over 10,000 employees) are spending $1 million or more annually on security, with 43% spending $250,000 to $999,999, and just 7% spending under $250,000. Again, many factors may impact the right amount of readiness and spending. But, all companies must ask the all-important question, what’s the cost of not preparing, or responding when it’s too late?  Budget season is upon us, so now is the time to budget and plan accordingly.   

Every day we hear of new cyberattacks or cyber threats. For every company, how you prepare to address these threats needs to be thoughtfully considered and paid for. This is especially true for Government Agencies and Government Contractors as they both hold our national security and trade secrets in trust. With budget cycles upon us, how do you know the right amount of money to allocate to the budget to safeguard our national security?  Moreover, how do you consider the impact of a breach and weigh the cost/benefit monies spent to protect your agency or company against a breach? 

Last year was one of the worst years in terms of cyberattacks, and upwards of 50% of companies expect an increase in cyber incidents in the next year. Research shows an estimated 70% of companies expect an increase in funding over the last year to address their cyber hygiene.  At a time when companies are systemically instituting and educating a company posture of cybersecurity best practices, and assessing cyber risk, the banking and insurance industries are also looking at companies through a lens of cyber risk. So, the implications now go beyond the all-important task of keeping data secure. Moreover, the task of addressing cybersecurity reaches beyond the walls of any company and deep into a firm’s relationships and supply chain (what I now refer to as, “cyber chain”).  All of this means there is a cost to consider when producing budgets as the threat of a breach is increasing by the day.  

Most of us prescribe to the notion that we’d all live in a safer world if cybersecurity was woven into the everyday fabric of our lives. Private and public sector alike, it’s up to us as companies and as individuals to keep our country safe from bad actors. But, like with most things in life, there are costs to consider. And, many factors impact the cost of addressing cybersecurity. For instance, the complexity of your operations may impact cost, how seriously a Board of Directors takes the risk of cyber threat may impact the degree to which you prepare for cyber threats, whether you’re a private or public sector business, what your supply chain make-up is and what cyber challenges it may introduce, and numerous other considerations. And don’t forget the make-up and size of your own workforce, and how well-versed and trained they are in terms of cyber diligence.   

For the Government Contracting community, there are security guidelines and mandates now such as the Cyber Maturity Model Certification (CMMC). Now that these mandates are/will show up in contract vehicles, companies must address cyber readiness should they want to continue being awarded contracts. The good thing is that, while many companies think of these requirements as the minimum and known expectation, they do provide a roadmap that can inform the effort and cost to address them. The nuance to the cost equation may be impacted by many of the aforementioned factors. 

The threat of cyber attacks will only increase. How companies ready themselves to prevent attacks and how they respond if an attack occurs will determine how we keep the U.S. as safe as possible. Thus, it’s up to every company to determine its risk mindset and plan the right focus, time, and money to address cybersecurity.