Annual amount per user for cybersecurity?

Security & GRCFinancial Management

$50055%

$100037%

$15006%

737 PARTICIPANTS
5.5k viewscircle icon3 Upvotescircle icon3 Comments
Sort by:
Director in Finance (non-banking)6 years ago

Build it yourself?  Far more expensive for both personnel and systems.  Using a leveraged outsourced partnership is far more economical, even if just for certain functions.  Still cannot outsource oversight and leadership though...

Lightbulb on3
Information Security Managing Consultant in Services (non-Government)6 years ago

This is a tough question. I am actually working on this now for a "startup" that is 7-8 billion in revenue in annual revenue. It really depends on who owns the Security applications such as training (could be HR), endpoint protection, secure coding scans (could be IT), etc. I would need to know the setup of your organization. 

For the org I am helping, I am leading the company to not have the CISO own more than the actually resources so the enterprise spend is closer to $500 or less per person. I like running a lean CISO office that is more governance, risk and compliance with oversight in delivery but not ownership of the tools. 

Having the CISO as a peer to the CIO and not in IT is my belief the best way to run an InfoSec office, which will directly impact the InfoSec operating budget.

Lightbulb on1
VP of Global IT and Cybersecurity in Manufacturing6 years ago

I had a third option which was $1500 but it didn’t display for some reason.

Lightbulb on2

Content you might like

Does your IT team or your HR team absorb the costs of HR technology?

Read More Comments

Does someone have advice on how they have balanced the risk/reward as it relates to introducing Open-Source Software to organization? My org is dipping its toe into the OSS world and the architecture and risk governance teams are looking to get ahead of these requests by coming up with policies and standards for OSS technology being brought into our environment. To clarify, this is not for software development and CI/CD pipelines, SDLC etc. This is for installing solutions that already exist out there (Zabbix, GreyLog, Prometheus etc.) into the organization's environment. We are looking to provide a balance on the obvious risk with the ability to move fast (like everyone else now).

What is your percentage of revenue for cybersecurity?

1%30%

2%34%

3%19%

4%4%

5%11%

View Results

As part of our NYSE IPO prep, we’re debating how to communicate our system hardening efforts in regulatory disclosures (e.g., SEC Form 20-F, SFC).

Would you recommend sharing % compliance (e.g., “85% CIS Tier 2”) or sticking to qualitative descriptions of how we identify and mitigate risks? Also, do SFC/ISO 27001 expectations require full ISMS integration, or is a % model acceptable?