Defining “Normal” Cybersecurity Spend Per FTE

Chief Information Security Officers (CISOs) have found themselves at a disadvantage when directors or executive peers challenge the cost of their organization’s cybersecurity spend, since little-to-no peer information is available. Bankers have often utilized regulatory call report information for peer analysis, measuring their institution’s financial performance compared to competitors. While call reports provide key financial performance indicators, detailed information related to cybersecurity and information technology budgets are not easily attained from available call report data.

A recent report titled “Pursuing Cybersecurity Maturity at Financial Institutions,” released by Deloitte and the Financial Services Information Sharing and Analysis Center (FS-ISAC), estimates that responding financial institutions spend between $1,300 and $3,000 per full-time equivalent (FTE) employee for cybersecurity annually with an average of $2,300 being the norm. The report estimated responding financial institutions spend six percent (6%) to fourteen percent (14%) of the IT budget on cybersecurity with an average of ten percent (10%) of the IT budget being the norm. While beneficial, the more interesting item in the report is that these figures decipher to a range of 0.20 % (20 bps) to 0.90 % (90 bps) of responding financial institution’s revenue with an average of .30 % (30 bps) being the norm.

Are Community Financial Institutions Lagging in Cybersecurity?

While 97 companies participated in the report, with representation spanning multiple revenue levels and various financial sectors, we can apply these results to the community based financial institution segment. Respondents were delineated by revenue into the following categories:

• Large respondents (more than $2B in revenue) with 38 respondents;
• Midsized respondents (more than $500 M, Less than$2B in revenue) with 23 respondents; and
• Small respondents (less than $500 million in revenue) with 36 respondents.

Assuming that a community based financial institution should spend between 20 bps to 90 bps of revenues on cybersecurity, we can use available call report information to estimate what the average cybersecurity spend is in this segment of the financial institution universe.

According to the June 30, 2019, Uniform Bank Performance Report (UBPR) Peer Group Average Distribution Report (by Percentile Rank) of the 5,352 banks that reported, the following peer averages were available:

• Interest Income (as a percentage of average assets): 4.34%
• Non-Interest Income (as a percentage of average assets): 0.60%
• Assets per Employee ( $ million): 5.25

Thus, a typical community based financial institution will have revenues that are roughly 4.94% (4.34% + 0.64%) of average assets and have one employee for every $5.25 million in assets. Applying the ratios across a various range of asset size, the $2,300 per FTE estimate from the “Pursuing Cybersecurity Maturity at Financial Institutions” report appears to be at the 90 bps range for the average performing community based financial institution.
 

The “Pursuing Cybersecurity Maturity at Financial Institutions” report noted small respondents budgeted a lesser percentage of their revenue (20 bps) on cyber than did midsize (50 bps) or large companies (40 bps). While small respondents’ average spend of $2,100 per FTE matched that of midsize respondents, this cybersecurity spend was much lower than the $2,700 cited by their large respondents.

When it comes to building a successful cybersecurity program, however, the report noted that advanced respondents did NOT necessarily spend more on cybersecurity than less advanced respondents. The biggest takeaway from the report is HOW a cybersecurity program is planned, implemented, and managed is more effective than the percentage of revenue allocated to cybersecurity.

Key Characteristics of a Successful Cybersecurity Program

Deloitte’s study also identified the three (3) key characteristics of financial institutions that have built successful and effective cybersecurity programs, including:

1. Involvement: Effective cybersecurity programs commonly have secured strong executive and board involvement. Involved executive management monitors cybersecurity risk in the same perspective as financial risk, lending risk, compliance risk, and other company risks. One of the major report findings is that a lack of management support and inadequate funding was a leading challenge among respondents. Going beyond setting the overall security strategy, the report found engaged management reviewed threats and cybersecurity risks, monitored the cybersecurity program, and assessed their organization’s vulnerability to a third party’s public breach. Better awareness of threats and cyber risk, along with the implications of a cyber incident to the institution, accelerates management engagement and focus the management team on the institution’s current challenges while maintaining appropriate funding.
    
2. Alignment: Cybersecurity is an enterprise issue that goes beyond information technology. Effective cybersecurity programs recognize that cyber threats are one of the most critical risk exposures facing the financial industry. Cybersecurity is not merely a technology issue. While the cybersecurity program may have originated in the information technology function, effective programs raise the profile of cybersecurity at the institution, allowing decision-making to be independent of other traditional information technology considerations. Effective cybersecurity programs recognize the need to completely segregate the cybersecurity function from information technology function.
    
3. Strategy: Cybersecurity is aligned more closely with the overall business strategy in institutions with an effective cybersecurity program. With modern banking, all business functions have multiple dependencies on internal and external technology to perform daily operations. Leveraging technology is often how financial institutions compete and differentiate themselves from other institutions across the street or across the nation; however, new technologies may expose the institution to new threats and additional vulnerabilities. Business growth and expansion was the second-largest challenge identified by respondents. Management of effective cybersecurity programs requires an awareness of the business growth implications, expansion, and the alignment of cybersecurity with the overall business strategy.

Stay Informed

CISOs will be continually challenged to justify increased funding for cybersecurity. Using studies such as this “Pursuing Cybersecurity Maturity at Financial Institutions” report by Deloitte and (FS-ISAC) and current industry peer information, CISOs can be better prepared to answer the question of not only, “How much funding do others financial institutions allocate on cybersecurity?” but also, “How are other financial institutions facing the challenge a developing and maintain an effective cybersecurity program with limited funding?”

Written by: Shane Daniel
Senior Information Security Consultant - SBS CyberSecurity, LLC

SBS Resources: 

{Solution} TRAC: TRAC™ is our integrated cybersecurity risk management solution developed to simplify cybersecurity risk management and assist users with tackling their cybersecurity challenges with ease. It automates the tedious risk assessment process and produces customized results that align with regulation, best practices, and your strategic goals. TRAC provides you with the right data to make more informed decisions about where to spend your next security dollar. 

Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.