Let’s get the most painful part out of the way: the number in your cybersecurity budget is not the number you’ll actually spend. This is not because of poor planning or sudden, unforeseeable events, but because certain costs are consistently overlooked during the budgeting process.

Unplanned cyber-related expenses can create significant financial strain on the business, as cybersecurity is usually considered a cost centre (unless your business' main activity is in cyber), and does not actively contribute to generating revenue.

We've captured a number of these below, to ensure precious CTO/CFO relationships can continue to flourish!

1. Remediation

Penetration tests, vulnerability scans, red team exercises and security audits identify vulnerabilities; they do not remediate them. The follow-up work, which may include patching, code changes, process improvements, etc. carries a cost, both in terms of cash and time by your team or supplier. 

Recommendation: Allow for a budget of three to five times the assessment fee to cover corrective action. 

2. Supply Chain Incidents 

Should one of your suppliers fall victim to a cyber attack, your incident response plan may also be triggered, and configuration changes, firewall updates and additional alerts may need to be set up at short notice. Incidents involving personal or regulated data may also require advice from a legal team and trigger additional auditing activities.

Recommendation: Build a small contingency fund specifically for supplier-related incidents. Send it on cyber readiness exercises or awareness later if it was not needed. 

The budget you should allocate depends on how critical vendors are to your operations and how mature your supply chain risk management is. A good rule of thumb is to look at the revenue attributable to the supplier and set aside 1% for your contingency budget. 

3. Overlapping and Underutilised Tolls

It is rare to have software that covers the specific use case needed by your business exactly. It is also possible that over time, preference towards a tool changes or functionality improves so far that another tool may be made redundant. 

Recommendation: Speak to your CISO or IT Manager, and check if there are any tools that can be retired. Also, take a critical look at the cost of individual security tools - you might be surprised that some tooling that is licensed on a per asset basis may cost more per annum than a monthly or quarterly vulnerability scan performed by a cybersecurity specialist. 

There are many more areas that could carry hidden costs, which may be unique to your business, like API integrations, cloud storage and license costs, shadow IT, and so on. 

Reach out to us for tailored advice; we are happy to share our experience on a pragmatic approach to cybersecurity budgeting!

Bottom Line

Hidden cybersecurity costs are not anomalies; they are recurring and predictable if you learn where to find them. Treat them like any other part of your security planning. Your CFO will thank you, and your budget will actually reflect reality. 

Check out this Cyber Budget Survival Guide next, to see how small investments can make a big impact: