Analyzing Cybersecurity Spending in Depth

Jack Freund Jack Freund, Ph.D., CISA, CISM, CRISC, Sr. Manager, Cyber Risk Framework for TIAA
@ISACA Volume 26, 23 December 2019

The US fiscal year 2020 presidential budget for cybersecurity-related activities is set at US$17.4 billion. This represents a 5% increase over the fiscal year 2019 budget and amounts to approximately US$53 for every person in the United States. More is actually spent, but due to the clandestine nature of some government work, the full budget is not reported publicly. By way of comparison, Bank of America is reported to spend approximately US$500 million annually on cybersecurity, or about US$2,400 for each of its employees. For its part, JPMorgan Chase spends approximately US$2,000 on cybersecurity for each of its employees. In aggregate, there is a forecast of US$1 trillion in worldwide cybersecurity spending over the 5-year period of 2017-21.

Naturally, organizations that are not as well capitalized (or have taxing authority) will spend considerably less on their cybersecurity programs. In your organization, you may be fighting for additional budget for the things that you need to defend the perimeter from cyberattacks and the interior from nefarious insiders. So many controls need funding that it may seem there is never enough money in the budget to cover all needs. As an example, the US National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 rev 4 shows 115 low-impact controls, 159 moderate-impact controls and 170 high-impact controls. Fully implementing these controls in all the relevant locations to the extent necessary can be extremely costly and time consuming.

Indeed, many will begin implementing these controls and never arrive at the end of their implementation cycle. Daily cyberhygiene, patching, upgrading and putting out fires takes time and momentum away from the control implementation projects an organization may have. Add to that the fact that the organization in which you operate has its own agendas to pursue its strategic objectives and, in the end, one will likely never be able to implement all the controls with the budget in place. The good news is that professionals will not need to do so.

Such “gotta catch ‘em all” control implementation checklists (often disguised as security maturity measures) exist in a world with an unlimited amount of money, time and staff. Unfortunately, we live in a different world that requires rationalizing where money is spent on limited resources. This kind of reality requires a different approach. In any environment where resource allocation faces scarcity, economic principles must be applied. In security, applying a cybervalue-at-risk (VAR) cyberrisk quantification (CRQ) methodology such as the open-source Factor Analysis of Information Risk (FAIR) cybersecurity framework gives you a way to focus on the riskiest scenarios. A fully formed risk scenario will contain a statement of loss that helps top leadership in your organization focus on what is imperiled along with why it should be funded. Further, relevant control solutions (such as those from NIST SP 800-53) can be paired with loss scenarios to enable decision-makers in the organization to make a fully informed choice: Invest in one of the control solutions or accept the potential losses associated with inaction.

Managing information security this way fundamentally changes the conversation with stakeholders. Instead of requests appearing like a collector’s wish list, it gives executives the ability to make nuanced choices and puts them in the driver's seat. Economic cybersecurity decision-making has the added benefit of maturing other areas in your organization. It compels higher-quality discussions about what is acceptable risk in pursuit of organizational goals. Instead of pursuing spending in depth, justify cybersecurity budgets using economic measures that are meaningful to the organization’s business objectives.

Jack Freund, Ph.D., CISA, CRISC, CISM, is director of risk science for RiskLens, a member of the Certified in Risk and Information Systems Control (CRISC) Certification Working Group, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, IAPP Fellow of Information Privacy, and ISACA’s 2018 John W. Lainhart IV Common Body of Knowledge Award recipient.