When finding cybersecurity vulnerabilities, we often focus on the clever tactics used by threat actors or the challenges faced by our team in maintaining good cyber hygiene. However, we may overlook a significant threat to security, which is the nadequate allocation of an insufficient cybersecurity budget.

Although businesses have been increasing their spending on cybersecurity products and services, with global expenditure projected to surpass $1 trillion between 2017 and 2021, the costs associated with cybercrime continue to exceed these investments. This demonstrates a significant gap between businesses' desire to protect themselves and their ability to invest in effective cybersecurity measures.

To flip the cybercrime equation, security leaders must adopt a new perspective on cybersecurity budget breakdown. The focus should be on minimizing an organization's exposure to the adverse financial/operational consequences of a cyberattack rather than matching financial losses with increased spending.

To minimize the organization's exposure to adverse financial/operational consequences, it is crucial to building an annual cybersecurity budget as a percentage of the revenue in a manner that minimizes the following risks:

  • The likelihood of a threat actor infiltrating the systems.
  • The duration in which a threat actor can operate covertly and persist within the environment before being detected and neutralized.
  • Insider threats arising from employees or individuals with privileged access compromising security.
  • Risks due to inadequate cybersecurity awareness and training, increasing vulnerability to social engineering, phishing, and other cyber threats.

By prioritizing the following key objectives—prevention, detection and response, and business continuity and disaster recovery (BC/DR)—we can create a strategic financial framework that maximizes the organization's resilience against cyber threats.

While achieving complete security may be unattainable, a well-structured budget that addresses these objectives significantly minimizes the risks an organization faces.

  • Prevention
  • Regulatory Compliance

    To protect the organization's sensitive data and maintain compliance with industry regulations, Decision-makers should prioritize allocating a budget for cybersecurity services/solutions that address specific compliance requirements such as GDPR and NIST for Data protection.

    Risk Assessments

    Performing regular risk assessments is crucial for identifying potential vulnerabilities and determining the level of risk faced by the organization. Cybersecurity Governance Committee should allocate a budget for comprehensive risk assessment services, which may involve partnering with cybersecurity vendors to conduct audits and assessments of the organization's infrastructure, applications, and data assets.

    Ongoing Security Training

    Cybersecurity training should be an ongoing effort and involve every employee and external stakeholders within the organization. Therefore, it is important to allocate a budget for engaging, memorable, and effective security training programs that educate employees about the latest cyber threats, phishing attacks, and best practices. By partnering with specialized training providers, organizational leaders can ensure that employees are equipped with the knowledge and skills necessary to actively contribute to the organization's security posture.

    New Business Initiatives

    As the organization embarks on new business initiatives, it is crucial to assess the associated cybersecurity risks and allocate the budget accordingly. Whether adopting cloud services, outsourcing operations, or expanding into new markets, decision-maker should consider allocating a budget for security assessments and the implementation of appropriate security measures. This may include deploying cloud-specific security tools, conducting vendor risk assessments, and implementing secure development practices for new applications or systems

  • Detection and Response
  • When it comes to cybersecurity, detection and response solutions are crucial for identifying and mitigating threats that manage to infiltrate a network. These solutions come into play after an attack or malware breaks preventative defenses, helping IT teams gain awareness of the threat and take appropriate remediation actions.

    The cybersecurity budget for detection and response should include investments in various solutions, such as Endpoint Detection and Response (EDR) products, Security Information and Event Management (SIEM) solutions, and incident handling tools. Allocating a budget for these solutions is essential to enable effective incident response and threat management.

  • Business Continuity and Disaster Recovery (BC/DR)
  • In the event of a cyberattack or other catastrophic events, organizations need to have services and technologies in place to ensure business continuity and recover critical IT systems and data. This requires a budget allocation for solutions like backup products or services, virtual and cloud-based hosting solutions, and cyber insurance. Such solutions are crucial to minimize downtime, data loss, and operational disruption.


Determining the appropriate budget for cybersecurity is a complex task that depends on several key factors, including organizational size and complexity, industry and regulatory requirements, business objectives and priorities, as well as the existing security infrastructure and technology in place. There is no universal number or fixed percentage that organizations should allocate to their cybersecurity budget. Instead, considerations such as company size, industry, compliance needs, data management practices, and client/partner requirements must be taken into account. It is essential to assess the business's specific circumstances, including its growth trajectory, current infrastructure state, performance, and the overall business landscape in terms of risks and compliance obligations. By carefully evaluating these factors, organizations can make informed decisions and allocate resources effectively to strengthen their cybersecurity defenses and protect their valuable assets.