How to Budget the Right Amount to Address your Cyber Posture By Matt Fogo, NeoSystems
girl with computer

By Matt Fogo 

According to a study released by Deloitte (FS-ISAC/Deloitte Cyber & Strategic Risk Services CISO Survey Reports; 2019 and 2020; Deloitte Center for Financial Services analysis), the average company will spend somewhere between 6% and 14% of their annual IT budget on cybersecurity. Moreover, according to Deloitte, the average annual security spending per employee increased from $2,337 in 2019 to $2,691 in 2020. 50% of large enterprises (with over 10,000 employees) are spending $1 million or more annually on security, with 43% spending $250,000 to $999,999, and just 7% spending under $250,000. Again, many factors may impact the right amount of readiness and spend. But, all companies must ask the all-important question of, what’s the cost of not preparing, or responding when it’s too late?  Budget season is upon us, so now is the time to budget and plan accordingly.   

Every day we hear of new Cyber attacks or Cyber threats. For every company, how you prepare to address these threats needs to be thoughtfully considered and paid for. This is especially true for Government Agencies and Government Contractors as they both hold our national security and trade secrets in trust. With budget cycles upon us, how do you know the right of amount of money to allocate to the budget to safeguard our national security?  Moreover, how do you consider the impact of a breach and weigh the cost/benefit monies spent to protect your agency or company against a breach? 

Last year was one of the worst years in terms of Cyber attacks, and upwards of 50% of companies expect an increase in Cyber incidents in the next year. Research shows an estimated 70% of companies expect an increase in funding over last year to address their Cyber hygiene.  At a time when companies are systemically instituting and educating a company posture of Cybersecurity best practices, and assessing Cyber risk, the banking and insurance industries are also looking at companies through a lens of Cyber risk. So, the implications now go beyond the all-important task of keeping data secure. Moreover, the task of addressing Cybersecurity reaches beyond the walls of any company and deep into a firm’s relationships and supply chain (what I now refer to as, “Cyber Chain”).  All of this means there is a cost to consider when producing budgets as the threat of a breach is increasing by the day.  

Most of us prescribe to the notion that we’d all live in a safer world if Cybersecurity was woven into the everyday fabric of our lives. Private and public sector alike, it’s up to us as companies and as individuals to keep our country safe from bad actors. But, like with most things in life, there are costs to consider. And, many factors impact the cost of addressing Cybersecurity. For instance, the complexity of your operations may impact cost, how seriously a Board of Directors takes the risk of Cyber threat may impact the degree to which you prepare for Cyber threats, whether you’re a private or public sector business, what your supply chain make-up is and what Cyber challenges it may introduce, and numerous other considerations. And don’t forget the make-up and size of your own workforce, and how well versed and trained they are in terms of Cyber diligence.   

For the Government Contracting community, there are security guidelines and mandates now such as the Cyber Maturity Model Certification (CMMC). Now that these mandates are/will show up in contract vehicles, companies must address Cyber readiness should they want to continue being awarded contracts. The good thing is that, while many companies think of these requirements as the minimum and known expectation, they do provide a roadmap that can inform the effort and cost to address them. The nuance to the cost equation may be impacted by many of the aforementioned factors. 

The threat of Cyber attack will only increase. How companies ready themselves to prevent attacks and how they respond should an attack occur will determine how we keep the U.S. as safe as possible. Thus, it’s up to every company to determine their risk mindset and plan the right focus, time, and money to address Cybersecurity. 

Matthew Fogo is SVP of Sales, Marketing, and Channel Management for NeoSystems Corp, a Managed Security Services, Hosting, and Systems Integration company based in Reston, VA. Matt has more than 35 years of experience serving in executive roles to manage and enable firms that contract with the Federal Government. Matt has consulted at enterprise-class Government Contracting firms, held senior positions at leading technology firms, and holds a Master’s Certificate in Government Contracting from The George Washington University as well as a Bachelor of Science degree in Accounting and Finance from The University of Mary Washington.  As the Co-Chair for the Governance, Risk, and Compliance Community, under The Cyber Guild, Matt finds it critical for our national security for individuals and all companies to take seriously the threat of cyber-attacks.  (The Cyber Guild is a not-for-profit organization working to improve the understanding and practice of cyber security, and to help raise awareness and education for all).