In 2018 it seems like every business that deals with customer information and data should have a security program in place. But that’s not the reality. There are trends and obstacles that seemingly stop businesses from setting up security measures to protect sensitive information.
The chart below from Cisco reports that from 2015-2017 the greatest obstacle was budget. So why is such an important thing like security being found on the boardroom room floor when budget cuts come around?
The chart also recognizes obstacles like compatibility issues with legacy systems and lack of trained personnel. In the past we’ve covered the topic of training team members with cybersecurity best practices, check out that article here.
But we want to focus this article on the largest wall that businesses are facing when it comes to security: budget.
We know that businesses, especially new businesses, are operating under reduced budgets and that IT isn’t always at the top of the list for “must-haves.” When things like advertising seem more vital it’s easy to not understand the risk of not having a security program in place.
Look at the healthcare industry for example. According to a report published by Black Book Research, IT spending remains stagnant while the volume of cyber attacks continues to increase. According to 88 percent of hospital representatives surveyed, IT security budgets have remained level since 2016. This is due in large part to the fact that hospitals find it hard to invest in something that will not produce revenue.
For this reason it is important to have a person who is experienced in budgeting and risk management in the room when the discussion is happening.
Who are the decision makers?
The Chief Financial Officer (CFO) is more involved than ever in the decision making process for cybersecurity budget allocation. This is because cybersecurity is no longer just a technological risk, it is a huge financial risk as well. A cyber attack can have huge risks on the financial status of a company.
A CFO’s experience in mitigating risks qualifies them to be a key player in the decisions related to cybersecurity spending.
The IT team should also be a part of these conversations. The Chief Technical Officer (CTO) will have an understanding of the security requirements and be able to communicate those points to the CEO.
What can be done?
You should start by coming to the conclusion that some form of security is a necessity. The reward of having a security program in place outweighs the risk of not.
When budget talks come up, take the lead and layout the risks that come with not having a cybersecurity program and then take the recommended next steps in making your company more secure.