To consider the costs of cybersecurity we have to look at both spending on cybersecurity as well as the costs of cyber attacks. Spending includes costs of a full security team and balancing these costs with the overall cybersecurity budgets. The ideal cybersecurity team size does not scale down for smaller businesses, and many businesses have to find ways to reduce security spending in order to fit within budget constraints. To determine costs of cyber attacks, we have to look at costs of security breaches, the likelihood of their success, and the odds they will happen to any given company. Once this data is established, we will be able to answer the question- how well balanced is the budget to the potential impact of a cybersecurity attack?
Cybersecurity budgets and spending
Similarities and differences in cybersecurity team structures between small, medium, and large/enterprise businesses
The cost of hiring a cybersecurity team is not a straightforward question. Many variables factor into how many people are on that team, what positions that team is composed of, and whether a company even has a dedicated inhouse team. However, using average compositions of cybersecurity teams and costs of these teams we can calculate total headcount costs for various company sizes. The first step to calculating the costs of teams is to discuss compositions of cybersecurity teams and how different sized companies structure their teams.
Similarity: Occupational Structure
There are a LOT of cybersecurity job titles. Here you can find an interesting article listing 50 of them. You’d be hard pressed to find a company that has fifty cybersecurity employees, let alone one of each of these titles. However, we can group these titles into eight categories shown in the table below.
Sourced from: (ISC)2
The percentage of security employees which make up each of these roles is also included. Overall there is a relatively even spread in these roles between all business sizes. This is good news for us, as it will make visualizing salaried costs easier for us later on in this article. Less specialized roles, particularly security operations and security administration, make up the largest percentage of the employees. More specialized roles, like forensics, penetration testing, and secure software development, make up the lowest percentage of employees.
Difference #1: Dedicated cybersecurity teams
It is rare for a company to have an inhouse team dedicated solely to cybersecurity. Overall, based on research by STX Next, only 20 percent of companies have an internal team dedicated to cybersecurity. Smaller companies skew this percentage, as they are much more likely to outsource than larger organizations are. The cost of a dedicated security team (which we will discuss soon) is often too much for smaller businesses’ budgets.
Next, smaller businesses tend to have cybersecurity responsibilities held by a larger percent of people with IT-oriented job titles. This data comes from research conducted by (ISC)2.
This suggests that larger businesses have teams dedicated to cybersecurity who work alongside their IT teams, whereas smaller businesses rely more heavily on general IT employees to own security.
Difference #2: Headcount of cybersecurity teams, and relation to total employee headcount
The number of total employees which are a part of the cybersecurity team, and the percent these employees make of the whole company, are key variables when calculating the costs of a full cybersecurity team. A note: these calculations will focus on mid to large sized companies. This is due to the fact that smaller companies are much less likely to have a dedicated cybersecurity team, so coming up with any realistic estimates becomes difficult.
The average number of employees for the largest and mid-range companies is provided by a survey conducted by Osterman Research. The largest companies/enterprises surveyed have an average of 26,000 employees. Of these, there are roughly 17.5 cybersecurity personnel per business. The average number of employees at mid-sized companies was 2,510 and averaged 13.3 cybersecurity personnel.
It is interesting here to note that while large companies have a greater number of cybersecurity personnel, the cybersecurity teams at mid-sized companies make up a higher percentage of the total employees in the organization. For large companies there is one cybersecurity pro for every 1,488 employees, or 0.07% of the total employees. For mid-sized businesses there is one cybersecurity pro for every 189 employees accounting for 0.53% of the company’s headcount. That’s over 7 times the amount of security employees compared to the total company headcount.
Ideal team compisition
We’ll discuss the ramifications of these insights, in regard to costs of cyber attacks on each of the business sizes, in more detail below. However, it is interesting to observe that there seems to be a general standard in regard to both ideal composition of a cybersecurity team – as well as number of employees in a cybersecurity team – that is largely unaffected by how large an organization is. Of course, here we are just looking at raw numbers- large companies are more likely to hire more experienced cybersecurity employees, as well as hire more senior roles such as a CISO, which may not be found in smaller companies.
Budgets: Calculating the yearly cost of a cybersecurity team
One last variable we need before we can calculate the cost of a standard cybersecurity team is the average salary of each of the 8 cybersecurity roles we discussed previously. Using glassdoor.com and salary.com, the average salaries of these roles in the US were found to be as follows:
And now comes the fun part. Based on the average headcount of cybersecurity employees for mid and large businesses, and the yearly salary, we can calculate an average standard cost of their cybersecurity teams.
The average salaries of an entire cybersecurity team at a midsized company (~2,500 employees) is $1.24 million. The average cost of the team at an enterprise is $1.61 million. For kicks, we can average both of these numbers to get a general average. This means the average cybersecurity team is 15.4 people, and the yearly cost of a full team is $1.42 million.
As stated before- this is merely an average. Companies, particularly ones with less revenue, will outsource many of these positions. On the other end of the spectrum, some companies will go beyond and above this by hiring the best of the best. Some companies are paying millions of dollars just to hire their CISO. Nonetheless, it is important to find a standardized average of industry practices in order to form a discourse about that industry.
Companies’ Cybersecurity Budgets
Given the average cybersecurity budget, it becomes clear why many smaller businesses cannot afford a dedicated cybersecurity team. Budgets can swing fairly drastically, but looking at the averages can give us a rough estimate of how much companies spend on cyber security. The security budget comes from IT, and so we must first look at a standard IT budget for a company. Average IT budgets can swing all the way from just 2.5% up to 10% of annual revenue of a company, but most often the numbers fall between 5%-7.5%. On rare occasions in the tech industry this number can go all the way up to 20%, so keep that in mind. For the sake of our article we will discuss averages.
Of the IT budget, companies spend between 5%-20% on security, with the most common spend range between 10%-15%. From these numbers we can derive the security budget for companies of different yearly revenues. The first table here shows average security budgets assuming an IT budget of 5% of total revenue:
This table below shows average security budget assuming an IT budget of 7.5% of total revenue:
The table shows that with a standard security budget, a company with $200 million in revenue would need to spend their entire security budget just to be able to afford an inhouse cybersecurity team.
Stagnation of IT budgets
Another thing to consider here is that just because cybersecurity demands are growing, along with budgets, it does not mean that IT budgets are growing to accommodate this. When asked the question: “Cybersecurity budgets come in many sizes. How does your company determine yours?” Industry decision makers replied:
-“Most seem to be a subset amount carved out of total IT budget. Typically around 3-5%. Most of that budget revolves around (many) tools and few people running them. Security maturity developed around a framework with associated people, process, tech seems to be lacking for many.”
-“We never had a cybersecurity budget until recently when I said we need a dedicated budget for it. So they took a chunk of the IT budget and told me to be grateful! So we have no more money overall, but some for cybersecurity!”
Costs of cyber attacks
Global costs and statistics
Overall we estimate cyber attacks cost $6 trillion globally in 2021. The average cost of a data breach in 2021 was $4.24 million globally.
Sourced from: IBM Cost of a Data Breach Report 2021
Of companies that suffer a data breach, half only suffered one attack, but a quarter saw attacks on a monthly basis. And the frequency of data breaches is increasing rapidly. This graph shows the increase in companies reporting a data breach from 2020 to 2021.
Sourced from: Statista.com
Costs per data breach are at an all time high in 2021. However over the years the costs have not increased linearly. Since 2015 the average cost has bounced between a low of $3.62 million per breach in 2017 to 2021’s $4.24 million. The most worrying statistic is the frequency of data breaches. Many more companies reported a data breach in 2021 than they did in 2022.
Costs per employee headcount
Since we have discussed employee headcount and its relationship to security budget at length, let’s look briefly at the cost per breach in different sized organizations.
Sourced from: IBM Cost of a Data Breach Report 2021
The cost per breach increases by about double from small companies to large companies. In the past data breaches were much more common in larger businesses. However as we can see on the previous graph illustrating breach frequency, hackers targeted smaller businesses in 2021 much more frequently than before. While the cost is higher in larger businesses, the cost per employee is much higher in small and midsize businesses. This suggests that small to midsize companies are at a greater risk financially if they suffer a data breach.
Tying it all together
If you have stuck with me so far (or skimmed to the conclusion) – welcome. Now that we know about security budgets, global spending, and costs of attacks, it’s time to answer the question: Do cybersecurity budgets make sense when compared to the price of a cyber attack?
Are cybersecurity budgets an effective ROI?
Given the rapid change that is occurring in the cybersecurity field it is hard to come up with exact data on this. However, there are a couple of interesting data points. The cost of a data breach of companies who invested in security automation was less than half that of those that didn’t. Also, enterprises who utilize cyber attack prevention strategies could save up to $1.4 million per attack.
While there is not a lot of data to pinpoint the exact ROI, not to mention that every industry and company size gets targeted differently, it is by no means a stretch to say the larger the budget the more secure you are from attacks. And looking at the numbers, the costs of a data breach are larger than the costs of most security budgets. And what happens when multiple data breaches a year hit a company?
Are companies doing enough?
Enterprises are at an advantage of having the revenue to hire a dedicated security team, but not all do. For companies over 10,000 employees, 50% spend $1 million or more on security. This means that less than half put enough in their security budget to pay a full inhouse security team. For midsize and smaller businesses who don’t have the budget to hire a full team, alternative measures should be taken such as outsourcing, and trying to implement AI technology to make up for lack of security employees. All of these point to the fact that it is reasonable to raise cybersecurity budgets.
As it stands, companies are getting their security budget by cutting into their IT budgets. This is not an effective way to allocate funds. Decision makers should see security budgets as a legitimate necessary cost of doing business, and require budgets that fit this cost accordingly.
Concluding thoughts
We mentioned earlier that cyber attacks cost around $6 trillion dollars globally. So how much are we spending on security? In 2021 organization spent $262.4 billion globally on cybersecurity. Cybersecurity Ventures projects that number to grow to $458.9 billion in 2025.
Sourced from: cybersecurityventures
Despite rapid growth in cybersecurity budgets, many feel more should be done. In ISACA’s State of Cybersecurity 2019 report, 60% of respondents said that they felt cybersecurity was underfunded. Cybersecurity spending totaled just 4.4% of what cybercrime attacks were. No amount of rationalizing budgeting can argue against that startling statistic.
As it stands, the average security budget is 0.78% of company revenue. An evaluation needs to be made whether your company stands to lose more than 0.78% of revenue a year due to being unprepared for cyberattacks. For companies over 5,000 employees, just one data breach can cost an average of 5.15 million dollars (or more).
In order for 0.78% of a company’s revenue to be greater than 5.15 million dollars, the company would need to have an annual revenue of 630 million dollars. For a company between 1,000-5,000 employees, that number looks less realistic. For their budget to equal the amount of one data breach, they need an annual revenue of 590 million dollars. Given that it is more likely than not a company will suffer at least one data breach, we’d generally recommend the budget be scaled to at least match the cost of a data breach, keeping in mind that more than one data breach a year is not out of the question.
Sources:
https://www.itproportal.com/news/barely-any-businesses-have-a-dedicated-cybersecurity-team/
https://info.deepinstinct.com/value-of-prevention
https://cybersecurity.att.com/blogs/security-essentials/how-to-justify-your-cybersecurity-budget
Leave a Reply