Budgeting for Cloud Security

Companies are spending more than ever to protect their data. Global IT analysts at Gartner estimate total information security spending will rise to a record $124 billion in 2019, up from $114 billion in 2018. That’s a bargain compared to the potential cost of not securing data assets in outright losses, customer defections, and reputational damage. IBM Security and Ponemon Institute estimate that in 2018, the average data breach cost $3.86 million.

However, cybersecurity is a big chunk of any organization’s budget, and one that requires careful thought and planning. Furthermore, with cloud-based and hybrid-cloud workloads rising in popularity, budgeting for cloud security—and learning how the cloud can help with cost efficiencies—is important to consider in today’s world of business.

This blog will look at some factors that determine how much you may want to spend on cloud security, what you’ll need to consider when migrating to or maintaining a cloud environment, and how your cloud security expenses may compare with the cost of securing data on premises.

Finding the Right Budget Allocation

The amount you allocate to cloud security will depend on a variety of factors, but boils down to three questions: How much is your company’s information worth to hackers or other criminals? What guarantees of confidentiality, integrity, and accessibility (CIA) are important to your customers? And, finally, what are the current or near-term threats to your data, and how likely are they to compromise your company information? Wait, isn’t that four questions?

It’s important to know how much your data is worth to determine the upper limit on an appropriate budget. In other words, cybersecurity budgets should never exceed the assessed value of the company information CIA they are designated to protect. Budget allowances for information security in cloud storage should follow the same determination process—with the exception that most associated hardware and some software may not require company protection. But doesn’t the value include loss to reputation, damage to the brand, intangibles according to IBM? Instead of upper limit, shouldn’t the take be on adequate budgets?

Most companies spend 10% to 30% of their overall budget on cybersecurity, according to a recent survey from Forrester Research. However, companies spending below this range may not be detecting all the threats to their data. The Forrester report finds that 54% of companies spending 0% to 10% of their budget reported no breaches in the past 12 months, but that doesn’t mean they didn’t happen, just that no one detected them. In comparison, only 42% of companies that spent 11% to 20% of their budgets on cybersecurity reported no breaches. Companies at the very top of the range—those spending more than 30% on cybersecurity—typically have just had a significant breach and are actively dealing with the aftereffects. For most, this will be a temporary surge, and budgets will recede below 30% when they return to a cybersecurity normalcy

Companies in different industries also have varying spending patterns. Companies that maintain critical infrastructure, including utilities and telecommunications firms, spend the most; while financial services and healthcare companies tend to lag, despite the value of their data and some high-profile breaches.

 Budgeting for the Cloud

Although organizations still keep roughly two-thirds (65%) of their data infrastructure on premises, demand for cloud-based solutions such as Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) is growing, according to new research from Threat Stack.

Today, companies see cloud infrastructure vulnerabilities as their No. 1 threat, ahead of network intrusions, data breaches affecting customers, and phishing attacks, according to the same survey. As a result, when companies move increasingly into cloud environments, cloud workload security and intrusion detection systems will take up an increasing share of cybersecurity budgets. Some factors to consider when budgeting for the cloud include:

Third-party risk: When you outsource cloud computing services to a vendor, you take on third-party risk. This becomes particularly critical when a vendor is bought or merged or acquires another company, thus changing the entities with which you do business. At this point, it becomes critical to assess the extent of this risk by determining where company data is stored, processed, and moved by these third parties, and what security controls and monitoring capabilities are available. In an ideal situation, third-party cloud service and security providers will have undergone some sort of certification or standardization process, making risk assessment more feasible and accurate.

Shared responsibilities: Although cloud service providers often provide cybersecurity and incident response services, they are not ultimately responsible for your data security. You are. Customers and shareholders will accept nothing less. However, as companies transition from on-premises to hybrid to public cloud platforms, cloud and/or Security-as-a-Service (SaaS) providers take on some of that responsibility. When this happens, your company’s leadership must continuously assess the vendor’s security measures, monitoring, and response functions to make sure they’re working up to your standards. Regular, joint cyberthreat exercises are a good way to test vendor-provided security.

Hybrid structures: As organizations move gradually to the cloud, many are developing hybrid cloud environments, which combine on-premise and private and public cloud capabilities. Yet, integrating and safely operating these systems poses risks. A recent survey by AlgoSec of 450 senior security and network professionals found that while nearly a third (32%) planned to increase their public cloud usage in the next 12 to 18 months, the majority were worried about cyberattacks and breaches in their hybrid environments. Among their biggest challenges: a lack of visibility (63%) and consistent management of security policies (61%).

Protection during migration: Companies face particularly high cybersecurity risks when moving data to a public cloud. AlogSec found that 44% of the companies it surveyed had difficulty managing security policies post-migration, 32% had difficulty mapping application traffic flows before starting a migration project, and 30% reported their applications did not work after the cloud migration. Careful planning, as well as the use of advanced automated solutions, can streamline these transitions and reduce risks.

Companies struggling to make the case for a larger cybersecurity budget should remember one important point: It is almost always cheaper to prepare than to repair. Proper cybersecurity planning, enabled by an adequate cybersecurity budget, can reduce the need for extensive, reactive, post-event cybersecurity remediation. Fixing a breach will usually cost more in time, dollars, and lost customers than even the most lavish cybersecurity budget, so make sure your company is spending enough to protect itself.

Can You Save Money by Moving to the Cloud?

Replacing on-premises data centers with the cloud eliminates the need for IT infrastructure, staff and office space—but it may not save you money right away. For one thing, migration itself is expensive, and it may take you some time to figure out how to optimize your use of cloud-based services. Even so, cloud-based platforms offer some clear benefits to businesses.

First, cloud computing can support a more collaborative, connected workforce, who can easily share documents and data across teams and geographies. One study by Frost & Sullivan found that by investing in collaborative technologies, companies increased productivity by as much as 400%.

Cloud-based computing also can increase companies’ agility, the ability to move quickly to capitalize on new opportunities. A study from Harvard Business Review Research Analytic Services reported that 74% of companies who had adopted a cloud strategy said it provided their organization with competitive advantage. Migrating to the cloud also has increased operational flexibility and business adaptability, particularly for smaller firms who cannot afford to build robust data capabilities on their own.

Just as important, by moving data storage to dedicated cloud-based vendors, corporations can gain access to a best-in-class solution from providers who specialize in cloud-based data exclusively. This can increase security, make IT costs more predictable, and increase disaster resilience. Switching to a cloud environment effectively outsources your IT infrastructure and staffing, while transferring material levels of risk, maintenance workload, energy costs, physical space and security requirements, and cybersecurity operations to a service provider specifically designed, staffed, and equipped to administer these responsibilities with maximum efficiency.

For all these reasons and more, organizations of all types, in a variety of industries and at different stages of their growth, are making more room than ever in their cybersecurity budgets for cloud-based workloads and security. Make sure your organization is spending enough to protect valuable information, wherever it is—whether at your place of business or in the cloud.

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals