How do you calculate a security budget? Is it a percentage of the IT budget? Something else? And why does it grow so drastically after a breach?



Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Yaron Levi (@0xL3v1), CISO, Blue Cross and Blue Shield of Kansas City.

Thanks to this week’s podcast sponsor, IronNet Cybersecurity

To combat sophisticated cyber threats, companies are increasingly adopting collective defense strategies to actively share intelligence with peer organizations to improve the detection capabilities of the collective. Through faster sharing of behavioral analytics, signature-based, and human threat insights, organizations can more effectively spot malicious activity and reduce attacker dwell time. More on IronNet Cybersecurity.

Got feedback? Join the conversation on LinkedIn.

On this episode of Defense in Depth, you’ll learn:

  • The general consensus among the community is cybersecurity is a spend it now or spend more later decision.
  • While everyone wants to find a metric to determine how much to spend on cybersecurity, there doesn’t seem to be any that are useful.
  • The CISO’s job is to provide data about risks so the business can make the decision about cybersecurity spending.
  • Most assume that after a breach there’s more cybersecurity budget, but what you get first is cooperation.
  • Look at security as a market differentiator. What if you could withstand a cyber attack but your competition couldn’t? Or possibly you could deliver a higher level of reliability to your customers. How would your business be perceived by the market?
  • A business impact analysis calculator can help understand your risk levels. Allan Alford has one his site.
  • Many felt the biggest cost to a company suffering a breach isn’t loss of data or the regulatory fines, but the damage to the company brand.
  • The cost of proactive protection always beats the cost of suffering a data breach.
  • One listener recommended that MBA programs should have a breach case study as part of their curriculum.