Protecting Value – The 2024 Finance Guide To Cyber Budgeting

IBM research suggests that the average cost of a data breach in 2023 was $4.45 million (USD). This is a useful figure to consider when thinking about planning for cyber budgeting. Cyber security budgets unfailingly increase in the aftermath of a significant cyber security threat or data breach, only to then face pressure and reductions two or three years later.

The normal explanation for this is that a significant budget increase is required to fund time-critical recovery and remediation or improvement initiatives. Once an improved operational steady state has been reached the operational budget can be squeezed. Such a rationale, however, neglects the fact that a multi-million-pound incident is far less likely if consistent, long-term, and risk informed cyber security budgeting is followed.

To assist with 2024 cyber budget planning, we suggest that the following topics and questions are considered:

• Has the threat profile changed such that the organisation needs to actively protect against new or increased threats?
• Has appreciation of the threat profile changed, or are investments needed to improve the intelligence position to better anticipate and respond to cyber threats?
• Does a review of the security posture need to be undertaken before it can reasonably be anticipated that a need for improvement is required, and a costed strategy developed?
• Have discussions commenced with providers of cyber insurance or a cyber security analyst? Has the premium changed from last year? Are there any changes that could be made to make the premiums more affordable by positively addressing risks?

• What was the level of spend on operational security in the prior year? Was this sufficient to maintain a desired level of technical and operational coverage for cyber risk management?
• Has new tooling been introduced that causes the operational security budget to increase? For example, a 2023 project to introduce a new security tool may have been funded as capital expenditure but having completed, now needs to be funded from the operational budget.
• Likewise, have opportunities been realised for consolidation of security tooling which might introduce an opportunity to reduce in this area?
• Could a cyber security audit identify opportunities for efficiency, in order to maintain or improve cyber resilience without over-spending?

• Is it understood whether the organisation is in scope of upcoming regulations and cyber security certifications, the timescales, nature and extent of the change involved (e.g. EU DORA and NIS2)?
• Have decisions been made regarding change initiatives that need to be funded? If not, can the type and extent of change that needs to be achieved be anticipated and therefore overall change budget be set?
• Does a budget for proof of value and proof of concept initiatives, such as the adoption of AI security tooling, need to be discussed?
• Is it possible to outsource or co-source any of the security operations?

• Has the extent to which third party security due diligence affecting the ability to respond positively to customer enquiries been understood? Will this influence the prospect of winning or losing opportunities on the basis of responses to security threats?
• Are IT and other security services being provided from one group entity to others?  Does this present an opportunity to explore transfer pricing mechanisms to gain efficiencies and tax opportunities?

If budgets for cyber security are being set for 2024, these considerations may help you to determine what is an appropriate level for your cyber resilience in the forthcoming year. It’s essential to implement the utmost level of protection against cyber security threats, in the form of cyber security framework and cyber risk assessments to determine what exactly this is.

Here at Evelyn Partners, we help clients to understand and respond to their cyber security risks, improve maturity and manage compliance. We do this in ways that are proportionate to the sector and business risk, which matches business priorities and needs.

Our cyber security analysts provide clear, practical advice and support to help you address challenges, protect value, build and maintain trust, and realise opportunities. No matter what your cyber budgeting may be, we work with businesses of all sizes to help initiate and maintain a sufficient level of cyber resilience for your organisation.

Approval code: 23118199