December 1, 2015
Almost eight years ago, Bruce Schneier wrote a great article about the problems of ROI calculation for cybersecurity spending within organizations. Since then, both annual spending on cybersecurity and the cost of global cybercrime have significantly increased.
Despite that organizations increased their information security budgets by 24 percent in 2016, many security officers still have to justify to their management every extra thousand spent on cybersecurity. Traditionally, Europe is more conservative than US, and many more European security officers are asked to reduce their initial cybersecurity budgets by removing some items or replacing them with less expensive alternatives.
Businesses need to make money in order to pay salaries (including salaries of the cybersecurity team), so their point of view, based mainly on financial numbers, is pretty clear and reasonable. Nevertheless, if you prepare a well-explained justification for your cybersecurity budget using terminology and language understandable by management, your chances of getting the budget approved without modifications will at minimum double.