Guide to Cybersecurity Budget Planning for Counties and Large Municipalities

Cybersecurity is a critical part of a municipality’s or county’s annual spending. It’s important for municipalities and counties to flesh out a detailed cybersecurity budget to address critical risks, save money, and stay compliant.

Why do counties and larger municipalities often lack detailed cybersecurity budgets?

Counties and larger municipalities usually build out detailed IT budgets but sometimes lack that same granularity for cybersecurity. It’s important to create a detailed cybersecurity budget because, despite heavy overlap with IT, cybersecurity is its own beast.

However, county and municipal IT directors often struggle to create detailed cybersecurity budgets due to several challenges.

1. Cybersecurity budgets spread across different departments
When different departments have their own priorities and budgets, this decentralized approach means that cybersecurity budgeting may be captured differently across the county or municipality. It’s difficult in this fragmented scenario to gain full detailed transparency about cybersecurity spending.

2. Not enough cybersecurity expertise
It’s no shame to admit that while you might be an amazing IT director, you may not specialize in cybersecurity—a broad field with many subsets and specialties. It’s impossible to keep up on everything without help—especially when cybersecurity changes so rapidly.

3. Not enough bandwidth
Even if you feel that you and/or others on your team have enough expertise to flesh out a more detailed cybersecurity budget, you may just have too much on your plate keeping up with fires and other priorities—especially if you’re understaffed.

4. Not enough leadership support
You may very well want to build out your cybersecurity budget, but some county or municipal leaders have trouble “seeing” the risks. Despite cybercriminals heavily targeting counties and municipalities, some leaders get lulled into thinking that their local government is unimportant. And while frustrating, it’s often the case that physical infrastructure projects or other public-facing initiatives get leaders more public credit than “invisible” cybersecurity investments.

5. Historical precedent and budget stagnation
Also frustrating is knowing you need a more detailed cybersecurity budget but leadership is used to a status quo such as sticking with outdated systems that now involve high costs to upgrade—and so you can’t get the support to modernize your environment. This negative feedback loop means continued underinvestment in cybersecurity. Conversely, you may have also stagnated in your budgeting. Cybersecurity moves fast, so if your budget has not changed much in the last few years, then you could be missing out on important investments that would help your county or municipality.

6. Too much tool focus
This struggle originates with the IT director or historical investments. With large organizations using an average of 76 security tools, many IT directors sadly believe that tools fix cybersecurity problems. However, too many tools often only add to environmental complexity, higher costs, and a lack of real strategy behind your cybersecurity investments.

7. Lack of data to inform your budget
If you don’t know much about your cybersecurity risk profile, including potential threats and vulnerabilities, then you may not have enough data to know what you need in your cybersecurity budget.

How much of your IT budget should go toward cybersecurity?

As you might expect, no simple rule of thumb exists. On average, cybersecurity is 11.6% of an IT budget although it’s less than 6% in a third of organizations. While the percentage can depend on quite a few factors such as your county’s or municipality’s size, complexity, and cybersecurity maturity, the biggest impact will be your risk profile.

A cybersecurity risk profile gives you an overview of potential cybersecurity threats, vulnerabilities, and impacts. It includes the following components:

Asset inventory and criticality

Inventory all your IT assets (hardware, software, network components, etc.) and assess the value of each asset based upon its criticality to your operations.

Threat identification and vulnerability assessment

Identify any potential threats including external threats (such as cyberattackers), internal threats (such as employees or contractors misusing access), and environmental threats (such as natural disasters). Part of your threat identification should include a vulnerability assessment to see if you have weaknesses throughout your systems along with any policy gaps.

Impact analysis

If an asset is compromised, what is the impact on your operations, finances, and compliance?

Likelihood of an incident

Based on past incidents, industry trends, and the current threat landscape, what is the chance that an incident occurs?

Risk tolerance

After collecting the above data, what level of risk are you willing to accept? Then, you can establish thresholds for acceptable risk levels.

---

As you can see, your risk profile will heavily impact how you budget and may look different for each county or municipality. Use your risk profile data to:

Prioritize and justify spending: Once you’ve identified and prioritized risks, you can allocate and justify funds for high-risk areas such as your most critical assets and vulnerabilities. You’ll have the data and a clear rationale when presenting to non-technical decision makers—helping you build trust and confidence in your proposed budget.
Perform cost-benefit analyses: If you’re struggling to outline a cybersecurity budget, your risk profile data can help you understand the cost of a mitigation strategy against any potential benefits and risk reductions.
Plan for the long-term: Your risk profile gives you data that helps you create a solid long-term proactive cybersecurity strategy and roadmap.

What are the components of a cybersecurity budget for a larger municipality?

At this point, you might say, “All right. I admit I could improve my cybersecurity budgeting. But what am I missing?” As you’ll see below, there are some “must haves,” many different options underneath the main categories, and some emerging tools that you may want to incorporate.

PEOPLE

Depending on the size of your county or municipality, you may have cybersecurity specialists on staff, cybersecurity may be encompassed under IT employees, and/or you may use outside resources such as a Managed Security Services Provider (MSSP). Here are some essential people components for your cybersecurity budget.

Personnel

This line item includes any salaries, wages, benefits, overtime, travel, training, and other personnel-related costs for full- or part-time cybersecurity employees. You can include IT employees if cybersecurity forms a significant part of their roles and responsibilities.

Services

This line item includes any cybersecurity service providers, consultants, and advisors helping you with cybersecurity-related matters. Various models include:

Standalone Managed Cybersecurity: Using standalone managed cybersecurity services (such as an MSSP) makes sense when you have an employee (or employees) with IT experience but little cybersecurity expertise. An MSSP can provide you with a specialized cybersecurity team that shores up your cybersecurity weaknesses.
Co-managed IT services + Managed Cybersecurity: Even if you’ve hired a co-managed IT services provider that already handles both your IT and cybersecurity baseline items, you may find that the size and complexity of your county or municipality requires that you need extra cybersecurity specialization.
Managed IT Services + Managed Cybersecurity: Managed services with cybersecurity baseline items included is often the best option for smaller municipalities that want a totally seamless IT management and cybersecurity experience. This model likely doesn’t apply to you.

Training

This line item includes any ongoing cybersecurity education, training programs, and certification costs for personnel to keep them updated on the latest threats and technologies.

Professional Training: Includes any cybersecurity-related classes, programs, workshops, or certifications for employees that incur a cost.
Security Awareness Training: Includes any budgeting for the development and implementation of security awareness programs for all employees. Security awareness training may encompass online video training, phishing simulations, and in-person training.

HARDWARE

While some IT hardware items may overlap with cybersecurity hardware items, it’s important to review if you invest or need to invest in the following cybersecurity infrastructure and equipment.

Cybersecurity-Specific Hardware

You need to budget for cybersecurity-specific hardware such as:

Firewalls: Includes traditional dedicated devices that monitor and control incoming and outgoing network traffic based on predetermined security rules. You may also budget for next-generation firewalls that offer additional features and functionalities.
Intrusion detection/prevention systems (IDS/IPS): Monitors network traffic for suspicious activity and potential threats.
Multi-function security appliances: You may have hardware that performs multiple functions, combining several tools.

Business Continuity and Disaster Recovery

Because business continuity and disaster recovery are such an essential part of a cybersecurity strategy, you need to budget for hardware that ensures data redundancy:

Backup servers: Includes any onsite or offsite backup servers, such as virtual cloud servers.
Storage systems: Includes your primary data storage repositories for applications and databases.

Maintenance and Support

Make sure you include fees for maintenance contracts and support services for all your cybersecurity-related hardware and associated costs. Your agreements and warranties will detail these costs.

SOFTWARE AND TOOLS

In your budget, track all your cybersecurity software and tools such as ongoing costs for software licenses and subscriptions. This includes:

Security Information and Event Management (SIEM) / Security Orchestration, Automation, and Response (SOAR)

Budget for SIEM tools that collect and analyze logs from all your different cybersecurity tools within your environment—helping to break down silos between your various technologies and strengthening your overall security in the process. SOAR tools go further to combine SIEM, logging, managed detection and response (MDR), and other tools.

Endpoint and Advanced Malware Protection

Budget for tools such as endpoint detection and response (EDR) used to secure endpoints (servers, desktop computers, laptops, etc.) and networks by detecting, preventing, and responding to advanced malware threats (including zero-day attacks).

Email Protection

Budget for email filtering, antispam, and anti-phishing protection.

Web and Content Protection

Your budget may include tools that protect against web-based threats by filtering and monitoring web traffic.

Advanced Cloud Security

Many cybersecurity budgets include tools designed to protect cloud-based infrastructure, services, and data from a wide range of advanced cyber threats. Includes Microsoft 365 or Google Workspace protection and backups that go beyond the default settings of the application.

Vulnerability Management and Software Patching

Your budget should include tools to help you with asset discovery, vulnerability scanning, risk assessment, vulnerability prioritization, management, and remediation. This includes proactive software patching.

Network Access Control

Includes any tools that control access to network resources by enforcing security policies at the point of entry. You may use software to help with identity and access management (IAM) and multi-factor authentication (MFA). Virtual private networks (VPNs) are included in this category, as they provide secure remote access to your network by encrypting data transmitted between the user and the network.

Data Loss Prevention (DLP)

Prevents unauthorized data transfers by monitoring and controlling data flows.

Encryption

Budget for solutions that you use to encrypt data at rest and in transit.

Threat Intelligence

Budget for any subscriptions to threat intelligence feeds and platforms.

Reporting and Metrics

You may budget for tools that monitor security performance, generate compliance reports, and provide analytics.

STANDALONE SERVICES AND SUBSCRIPTIONS

Your team may use some standalone services and/or subscriptions that do not require a full MSSP to provide them. Some of these services include:

Business Continuity and Disaster Recovery (BCDR): In addition to the investments in backup hardware, software, and services mentioned above, you may also budget for help with BCDR planning—such as developing, testing, and maintaining disaster recovery plans.
Incident Response: Especially if you’ve experienced a data breach or cybersecurity incident, you may budget for incident response services and forensic investigation. This can also serve as a reserve fund for unforeseen cybersecurity incidents and emergencies such as a cyberattack or data breach—covering incident costs and data restoration.
Penetration Testing: Many IT departments budget for regular penetration testing and security assessments by third parties to validate security posture.
Dark Web Monitoring: You may budget for a service that monitors the dark web for compromised data and threats.

Compliance and Risk Management

Depending on the regulations you must follow, it may make sense to budget for some compliance-specific services, solutions, and third-party consulting help.

Compliance as a Service (CaaS): Many IT departments invest in software, tools, services, and expertise to ensure compliance with relevant frameworks.
Risk Management: You may use solutions to help with risk assessment and management.
Policy Development: Your budget may include costs associated with developing and maintaining security policies and procedures.

Cybersecurity Insurance

Obviously, you will budget for cyber insurance because it mitigates the financial impact of cyber incidents. But it helps to keep in mind that, without a disciplined cybersecurity strategy and budget, your premiums might increase—both because you lack basic cybersecurity best practices and because you may experience a cyberattack without proper protections, adding to long-term costs. In a worst-case scenario, a cyber insurance provider may void your claim or deny you coverage, risking massive post-incident costs. Using unsupported and outdated software can also void a claim.

A Note on Unforeseen Cybersecurity Expenses

Unforeseen cybersecurity expenses can arise unexpectedly and impact your budget. Depending on how well-prepared (or ill-prepared) your environment is against cyberattacks, you will likely budget for unplanned cybersecurity incidents.

For example, responding to and recovering from cybersecurity incidents (such as ransomware attacks) will likely involve forensic investigations, remediation efforts, and legal expenses. And with data loss in the wake of a cyberattack, data recovery and restoration will likely involve hardware replacement and downtime costs.

Many of these expenses can be avoided or mitigated with proactive cybersecurity budgeting and investments. However, you should still allocate funds for unexpected costs related to new threats, technology updates, or emergency purchases.

Learn More

Presenting to council: Translating jargon into priority alignment with leadership

It’s sometimes frustrating presenting a detailed cybersecurity budget to your council, as something clearly important to you doesn’t translate well to a non-technical decision maker. Here are some tips and best practices that may help your future presentations.

1. Engage key stakeholders early in the process.

Get input and build support early so that you talk to council with a team of allies behind you. It’s powerful to have the heads of various departments on your side—understanding why your proposed investments are important and backing you up from different perspectives.

2. Connect your cybersecurity budget with council priorities.

It’s likely that your council cares about increasing public safety, protecting resident data, and ensuring that critical services remain operational. Not investing in cybersecurity threatens those priorities. If you’ve conducted a recent assessment or audit, use that information to highlight how your proposed budget will mitigate specific risks.

3. Avoid jargon and dry data dumps.

While you live in the world of IT and cybersecurity, others don’t. Explain any cybersecurity risks and your solutions to those risks in non-technical terms. Research and cite real-world examples of counties and municipalities that have suffered from cyberattacks and data breaches. Counties and municipalities do not want to become an embarrassing headline and lose the trust of residents.

4. Talk money.

Councilmembers may not understand the intricacies of cybersecurity, but they understand dollars and cents. Let them know the financial impact of a data breach, downtime, and recovery costs—and how your investments will reduce the chance of an incident and overall incident costs if one happens.

5. Paint a clear picture of the future.

Be ready to answer important questions. How will your budget be implemented? What does the future look like? Your plan needs milestones, timelines, and measurable outcomes to demonstrate how you will effectively spend your allocated budget and what results you expect.

6. Don’t just address councilmembers once a year.

To ensure that you build support for future budgets, offer ongoing updates about cybersecurity trends and threats throughout the year. By keeping councilmembers informed, you both teach them and provide reasons as to why your cybersecurity budget is so important.

The goal of the above tips is to make sure that councilmembers don’t wait until an incident occurs to understand the importance of investing in cybersecurity. Many counties and municipalities are often disruption-driven and don’t act until a major cyberattack or data breach occurs. Attempt to get ahead of an incident by focusing on risk—and how to mitigate that risk before a costly, embarrassing incident occurs.

Conclusion

Refining and deepening your cybersecurity budgeting helps you more proactively and comprehensively address risks while focusing more on critical priorities. Once you establish a detailed cybersecurity budget, educate decision makers on it, and use it to help you enact your cybersecurity strategy, you will then tee yourself up to ask for more money each year as you demonstrate the positive impact that proactive cybersecurity measures have on your municipality.

Need help with cybersecurity budgeting?

We’re here to help. Reach out to us today to talk about your cybersecurity budgeting gaps and challenges.