When budgeting for cyber security consider what you must do for legal and regulatory compliance, and what you should do for good security. As good security is a business enabler, do that first. Then analyse any compliance gaps and fill them. You should budget accordingly.

How you decide to deal with risk is important: will you accept, avoid, transfer or mitigate?

Let’s say you calculate the value of losing an asset to a specific threat and the likelihood of that happening in a year at £5,000, the cost of a control to protect it £1,000 and a further £300 to implement it. The £3,700 left over is the value of that control. In cyber security this is called Annualised Loss Expectancy. If the figure goes into the negative that control is probably not suitable, find one that does a better job or costs less.

Security is not all about technology, it is just as much about people and process; cyber security spend should reflect what the business needs are whilst reducing risk. Budget to fix processes or train staff may be more effective and cost less than buying and configuring technology. It’s not what you spend – it’s how well you spend it.