Paying for protection – what does a well-rounded cyber-security budget look like?

by Mark Sinclair, ANZ Regional Director at WatchGuard Technologies

Getting executive approval for a generous IT security budget isn’t always a straightforward affair. As with other forms of ‘insurance’, the value of cyber-protection measures can be called into question – right up to the time when disaster strikes.

Having said, the purse strings in Australia have loosened up a touch of late, perhaps as the result of recent highly publicised security incidents such as the WannaCry ransomware attack and the Equifax data breach.

Cyber security spending in Australia is expected to reach $3.8 billion in 2018, according to Gartner Group; an increase of 6.5 per cent on the previous year’s outlay.

If funds are forthcoming, it makes sense they’re spent in a way which delivers maximum cyber-protection bang for the buck. So, what does a well-rounded security budget look like in 2018?

Too much prevention and not enough cure?

Industry estimates suggest organisations are dedicating up to three quarters of their security budget to preventative technologies alone. It appears reasonable and justifiable – prevention being better than cure, as the old maxim has it – but prevention shouldn’t be the only priority.

Motivated attackers will continue to find novel ways to get past preventative controls and IT departments do well to extend their budgets across multiple categories of security, including solutions to detect malware that’s already infected their networks.

A well-balanced cyber-security strategy should see funds spread across three areas.


Products and services which detect and block threats before they succeed should be the frontline defence in any organisation which is serious about preserving the integrity of its network and the data it contains. Firewalls, antivirus software, intrusion prevention systems, advanced malware protection programs and cloud-based email filtering systems all fall into the prevention category.

Detection and response

Solutions which help identify and remediate a threat once it’s infected the network have an important place in the arsenal. They include endpoint detection and response products, security information and event management solutions and other incident management tools.

Business continuity and disaster recovery

Hoping for the best and preparing for the worst has always been prudent security practice. Services and technologies which assist organisations to recover from a cyber-attack can include back-up products and services, cloud-based hosting systems and cyber security insurance.

Splitting the spend more smartly

Spending 75 per cent of the security budget on prevention, as analysts believe is commonplace in the corporate world, can leave too small a slice of the pie for detection and response and business recovery services.

For my money, a superior split would be 50 per cent prevention, 30 per cent detection and 20 per cent business recovery.

Why? Prevention is important but it can never be perfect. The latest sophisticated threats like polymorphic ransomware and fileless malware have shown that defender technology can’t block everything. The latest malware repacks itself regularly and is easily able to evade signature- based protections.

Reducing the time taken to find and eliminate malware once it’s infiltrated a network can help limit the damage if – or when – an organisation is unlucky enough to experience an attack. 

Latest research from Ponemon Research and IBM suggests there’s plenty of room for improvement on this front. Their Cost of a Data Breach study indicates it currently takes, on average, more than 190 days to identify that a network has been infected. That’s a sobering figure given that stealing terabytes of data can be the work of hours, not weeks and months.

Devoting a larger portion of the security budget to detection and response tools has the potential to bring detection time down to just minutes.

These solutions use multiple methods to root out malware that’s already installed on devices and can clean up and remediate threats automatically. More sneaky and sophisticated infections can be dealt with by correlating end point and network indicators.

Meanwhile, increased investment in recovery services can make cleaning up the mess less time consuming and costly. If a cyber-threat, such as a ransomware or denial of service attack, takes down an organisation’s critical IT infrastructure, in part or entirety, it’s likely to bleed money until it’s restored. A solid disaster recovery plan and good back-up, hosting and virtualisation services will see an enterprise get up to speed sooner following an attack and will ensure management and IT staff aren’t left scrambling to respond.

Better balance

Adjusting priorities to spend less on prevention and more on detection, response and recovery shouldn’t be seen as a radical change. Rather, it’s the injection of some balance to the budget which may well lead to better security outcomes for businesses long term.