HOW TO DECIDE ON
YOUR COMPANY’S IT
SECURITY BUDGET
In the modern world, there are a plethora of security
products and services to choose from. Businesses can
find it daunting to navigate their way through these
options to choose the best one. Alexander Moiseev,
Chief Business Officer at Kaspersky, outlines the
different approaches that companies can take when it
comes to planning their IT security spending.
W
orldwide spending
on information
security products
and services
has been on the
rise for years.
According to
Gartner, it’s set to rise from US$114
billion in 2018 (an increase of 12.4%
from 2017) to a forecasted growth of
more than US$124 billion in 2019.
IT security leaders in enterprises also
have high expectations: 72% say that
their budget will increase in 2020. With
more and more money being put into
information security, it’s interesting to
see how these investments are
actually shaped.
From my experience, there are basically
two ways to decide about the future,
whether in business or personal matters.
62
Number one: Rely on your intuition and
previous experience in similar situations
or simply follow others’ choices. That’s
a conventional approach. Number two:
Analyse your unique situation, break
it down into small details and try to
calculate the probability of these details
changing in the near future. This is a
risk-based approach.
Now let’s take a look at how different
companies plan their IT security
spending and what we can learn from
these two approaches.
The conventional approach
to budgeting
The most typical approach to security
budgeting is often based on today’s
instant needs or on previous experience.
This is especially relevant for growing
companies that need to be able to
Alexander Moiseev, Chief Business
Officer at Kaspersky
quickly equip the business with minimum
and necessary cybersecurity measures
and tools to focus on growth.
In organisations at this stage, budget
planning most often happens according
to the principle of inheritance, whereby
the current budget level is maintained for
several cycles with minimum changes.
There is no practice of setting strategic
IT security goals or assessing specific
risks and the money is spent on
emerging needs with ad hoc support.
This approach may work well unless
sudden and unaccounted business
needs emerge: for example, a decision
to increase the digital side of the
business, implement a cloud-based
service for CRM or accounting, or
open a new branch office. All these
Issue 21
|
www.intelligentciso.com