How Much Should We Spend on Cybersecurity?

May 5, 2022 | Cybersecurity Consulting

Data breaches can have disastrous consequences, particularly for startups or small to medium-sized businesses. According to Cybercrime Magazine, 60 percent of small companies go out of business within six months of falling victim to a data breach or cyberattack. 

Security has to be a priority for organizations of all sizes, but for those small companies, it can be difficult to know where to start. Creating a budget for cybersecurity is an important first step, but there’s no simple formula to determine the right number. Brad Thies, president and founder of BARR Advisory, weighed in on how to determine cybersecurity spend. 

Determining your cybersecurity budget 

“Figuring out how much to spend on cybersecurity starts with asking: how much do you value your data?” said Thies. “Then ask: how much data could an attacker gain access to if any one person’s credentials were compromised?” 

Compare how much you value your data to the cost of a data breach—which, according to IBM, was $4.24 million in 2021. That estimate is likely conservative, considering it doesn’t include the cost of recovering data.  With that perspective in mind, security is often a  “pay now or pay later situation,” Thies said.  

If you want to cross the Atlantic ocean, you can buy a plane ticket for a few hundred dollars. You could also kayak, but it simply wouldn’t be effective. Think of cybersecurity spending the same way—while prioritizing security may be more expensive in the short term, it will ultimately save time and money in the long term. 

For some organizations, their cybersecurity budget is determined as a percent of another budget. For example, some may choose to spend 10 percent of their IT budget. While this approach might work for some companies, determining budget isn’t always just picking a percentage.

“Think of your budget  as its own data piece informed by how much you value your data and your overall security objectives,” Thies explained. 

One of the biggest mistakes companies make when determining a security budget is viewing the budget as the cost to meet compliance. 

“If you’re spending only as much as it takes to check the box, you’re not thinking about your customer,” Thies said. For product companies, everything is about the customer, and investing in security shows that you care about your customer’s data and privacy. 

“Compliance can give you perspective, but it’s not one size fits all,” Thies elaborated. 

Threat modeling

Threat modeling is the key driver of any cybersecurity budget. Threat modeling allows an organization to identify, evaluate, and mitigate potential threats to their network. A threat model takes into account the organization’s assets, attack surfaces, and potential attackers, including internal, external, and unintentional attackers. It  gives organizations a clear picture of potential risks, so they can  prioritize threats as needed, create security objectives, and determine how to use their budget to meet those objectives. “Without threat modeling, you’re spending without knowing why,” explained Thies. 

The threat modeling process helps companies plan their budget around the most common and relevant threats to their specific industry and company size, removing any guesswork from the process. 

Threat modeling is also an important part of communicating cybersecurity priorities to the C-suite and other stakeholders. While it has become easier to communicate about cybersecurity since it’s top of the news, threat modeling is directly tied to the value of a company’s data, creating an opportunity to communicate directly on how each threat impacts the threat models for your specific organization. 

“Essentially, you need to know the value of your assets, the scope of your attack surfaces, the level of risk you are willing to accept, and consider conditions such as regulatory requirements and where you are in your security journey,” said Thies. 

Thies recommends organizations undergo a risk assessment to determine the scope of their assets. 

What goes into a cybersecurity budget? 

“Every cybersecurity budget should account for three essentials: people, processes, and tools,” said Thies. Let’s take a further look at what these essentials entail: 


Thies advises that companies budget for at least one internal  security hire. When it comes to security, companies can delegate everything except for accountability, so having one person to “own” security is important. Another aspect of the people component is outside expertise, too: “it’s not cost effective to think you can have all the expertise in house, so you want to partner with security experts in a meaningful way,” Thies said. 

Security partners like BARR can help organizations develop, mature, and manage cybersecurity programs. 


Budgeting for processes includes the cost of security awareness training for the entire company. With compromised credentials as the leading cause of security breaches, everyone in the organization needs to participate in a security culture, even if their role doesn’t involve handling private data. 

Other process costs include vulnerability assessments and risk assessments. Similarly to the people aspect of cybersecurity budgets, outsourcing these processes is an important step.  “For many organizations, it can be tempting to cut costs by doing assessments on your own, but it’s not as robust or meaningful because you lose the element of impartiality,” Thies explained. 


“Today, even hackers are automating their attacks—which means companies need to be automating their security processes. That’s where automation tools come in,” said Thies. It’s important to leave some budget for security tooling, even if it’s as simple as automation for provisioning. Especially for organizations in cloud environments, spending on tooling can simplify complex security tasks.

 “There’s always add-ons for making life easier, and when it comes to security it can really be worth it,” mentioned Thies. 

Security enables growth

For enterprises with well-oiled security professionals and mature security programs, it’s easier to determine the amount to budget and where to allocate their resources. 

For startups and small to medium-sized businesses, determining budget requires knowing your security objectives and what you’re trying to achieve with your security spend. 

“If you have confidence in your product and your business, invest in security,” Theis said. “If you don’t know where to start, find a professional that can help you figure it out, and consider that person as your first budget spend,” he concluded.

Looking for more information on how to determine a cybersecurity budget or build a cybersecurity program? Contact us today.

Let's Talk