The CFO is an important ally in the fight to keep information and IT assets safe and secure.

“Given the risks that cybersecurity threats pose in a technology-driven, global economy, today’s CFO must ensure that adequate steps are taken to protect the company’s reputation, stock price, and mission-critical assets,” said information security expert and former Gartner executive Steve Durbin in an article about cyberthreats in next-generation areas such as 5G and machine learning.

Most CFOs today understand that cybersecurity procedures are a financial concern just as much as an IT issue. Yet the person responsible for managing and mitigating enterprise risk has historically been absent from many discussions about IT security. It’s time for CFOs to take a more active role in understanding how information is secured and what can compromise that security. A good place to start is to quantify the costs.

Successful cyberattacks are costly not only in time and resources spent on damage control, but also in terms of brand value and investor confidence. And on the prevention side, big security decisions are often big budget decisions too.

So how much are companies spending on developing cybersecurity procedures? And how do those numbers compare to the cost of an attack?

An Ounce of Prevention

The numbers vary depending on who you ask. A recent Ponemon Institute survey of small- to medium-sized businesses found that companies are spending, on average, about 12% of their IT budget on cybersecurity procedures, whereas a 2016 study by Gartner reported that organizations, in general, spend about 5.6% of their IT dollars on security and risk management.

Those numbers don’t tell the whole story, of course. Companies that are already relatively well protected may not need to spend as much on cybersecurity. Conversely, companies that funnel more money into security are not necessarily spending it on the right things. And it’s difficult to define, even conceptually, the distinction between spending on security and spending on general IT.

Even so, the budget statistics provide a point of comparison for the second question: What is the cost of an attack?

How Much Is Data Security Worth?

In the Ponemon survey, 58% of respondents said their company had suffered a data breach in the last 12 months. (Remember, that’s small- to medium-sized businesses only.) The cost associated with those breaches is steep. Companies spent an average of $1.43 million due to damage or theft of IT assets, and the disruption of day-to-day operations caused by compromised data costs an average of $1.56 million per company over the same period.

What about investor confidence? One study shows that the value of a company’s stock drops an average of 5% when a data breach is disclosed to the public. And a rebound is not guaranteed, especially in companies with a poor security posture.

Again, the numbers vary depending on who you ask and when, but in the end, the only numbers that really matter are yours. It’s clear that any business, no matter the size, has real financial incentives to look carefully at its IT security budget. Too many organizations still believe they are too small to be targeted by a cyberattack. A false sense of security can be worse than no security at all.

The line between finance and IT is getting blurrier by the day. CFOs can no longer afford to think of data breaches, ransomware, and other such attacks as somebody else’s problem. Proactive CFOs who work closely with other departments will be better positioned to face the challenges of tomorrow — and today.

Understanding where the cybersecurity risks are in your organization is one of the best ways to ensure dollars are allocated where they can make the most difference. Completing an IT and cybersecurity risk assessment can show you just that. For more guidance on how best to allocate your dollars to keep your company safe, talk to the information security professionals at CRI.