News

How much should a company invest in cybersecurity?

Header Cybersecurity Budget
Momentum: Cybersecurity in Organizations Between compliance requirements and risk management Make Investment Decisions in a Structured Way Focus on «Low-hanging Fruits» Conclusion Contact

Momentum: Cybersecurity in Organizations

Cybersecurity investments are not a matter of percentage calculations, but a risk-based decision. A structured, risk-oriented approach helps define a sensible budget, prioritize measures based on their effectiveness, and regularly review both effort and benefit.

Every day we read about cyberattacks in the media. We are aware that cyberattacks are among the greatest risks for our own company as well. At the same time, we tend to approach terms such as ransomware, phishing, data theft, or sabotage rather cautiously. Companies must weigh the risks: financial damage, reputational damage, supply chain reliability, and compliance requirements, against investing in preventive security measures.

This often leads to discussions: costs are measurable, but avoided incidents are not – at least until a security incident actually occurs. The key question is how companies can define a sensible investment framework for cybersecurity, which measures deliver the greatest impact, and how effort and effectiveness can be assessed in a practical way.

Between compliance requirements and risk management

Cybersecurity Blog Circle

It operates in the area of tension between the must due to regulatory, legal, or industry-specific requirements, the can in terms of financial and human resources, and the should based on the management’s accepted level of residual risk.

Legal requirements (GDPR, the revised Swiss Data Protection Act, NIS2 and industry-specific standards)  define a minimum level of security measures. However, these requirements represent only the lower boundary and do not guarantee adequate protection against real-world attack scenarios.

In practice, several rough benchmarks have become established:

  • 8–15 percent of the IT budget is often used as a general guideline for cybersecurity across many industries.

  • In critical infrastructure, financial services, or data-intensive business models, the budget is frequently significantly higher.

  • Small and medium-sized enterprises often invest less but carry relatively higher risk exposure.

The prevention versus response ratio is commonly structured as follows

  • 80% prevention (awareness, hardening, monitoring)
  • 20% response (backups, emergency exercises, recovery and restart capabilities).

These figures do not replace individual risk assessments but illustrate that cybersecurity is an integral part of modern IT and corporate governance. The level of cybersecurity investment is therefore less a technical question and more a conscious decision about risk acceptance, liability, and business continuity.

Make Investment Decisions in a Structured Way

The appropriate investment framework is derived from a risk-based assessment rather than from technical wish lists or fear of negative headlines. A multi-stage approach has proven effective:

Make Intuition Visible

Cyber resilience is often not exclusively an IT issue. Instead, management must be involved. The following questions should be answered first:

  • «What are we actually afraid of?»
  • «What must absolutely not fail?»
  • «What would be ‘uncomfortable’ or even existentially threatening?»

Determine Protection Needs

From these answers, it is necessary to derive what needs to be protected. People often think primarily of IT systems and technical components. However, this also includes critical business processes and sensitive data such as customer data, intellectual property, patents, or production data.

The level of protection required depends on the potential impact of a failure in terms of cost, legal consequences, supply chain reliability, and reputation. Areas of influence include customers, employees, partners, as well as the public and regulatory authorities.

Analyze Threats and Vulnerabilities

Based on the protection needs, threats and vulnerabilities are then analyzed. Questions such as:

  • «What realistic, business-relevant attack scenarios exist?»
  • «Where are known vulnerabilities present (technical, organizational, process-related, supply chain-related, or human factors)?»

help guide this process. In many cases, simplified risk assessments are sufficient to become operationally capable. It is not necessary to run a full ISO/IEC 27001 project to start taking effective action.

Quantify Expected Damages

Once threats and vulnerabilities are known, the next step is to quantify the expected damage. The goal is to determine the potential financial impact if a specific scenario occurs. A realistic assessment of how frequently an event might occur is also important.

The combination of the damage magnitude and the probability of occurrence results in an expected annual loss, which serves as an orientation value for prioritization and investment decisions.

Align Investments with Risk Reduction Potential

Finally, security measures are prioritized to ensure that risks can be demonstrably reduced and that a favourable cost-benefit ratio is achieved. In addition, measures should address regulatory or business-critical requirements and be feasible in the short to medium term.

The investment framework is therefore not derived from a fixed amount but from an economic trade-off between risk exposure and achievable risk reduction.

Focus on «Low-hanging Fruits»

A common mistake is to start with complex or expensive solutions while fundamental security measures are missing. Experience shows that the following areas deliver the highest impact per invested unit of currency:

Awareness and Employee Training

A large proportion of successful attacks start with human error. Regular, practice-oriented training on phishing, password security and secure working practices significantly reduces risk at relatively low cost.

Time Expenditure per Employee vs. Risk:

  • A single successful cyberattack can result in weeks of downtime and substantial damage. Well-trained employees therefore significantly reduce risk.
  • 10 minutes per week for cybersecurity training equals about 8 hours per year.

Conclusion: A manageable investment of time can significantly reduce the attack surface and limit consequential costs.

Basic Hygiene in IT

Basic hygiene in IT refers to fundamental security measures that should be implemented across the organisation. These include: 

  • Patch and update managemenz
  • Inventory of systems and accounts
  • Strong authentication (e.g., MFA)
  • Privilege minimization
  • Deactivation of unused user accountsReliable backup and recovery strategies (offline and regularly tested).

Visibility and Proactive Monitoring

Effective protection requires knowledge. Appropriate and targeted monitoring of systems, logs, and access activities in a central location enables early detection of attacks, faster response, and therefore limits the spread of damage.

Emergency and Incident Response Planning

It is not complete prevention, but rather the professional handling of security incidents that determines the actual costs. Clear responsibilities, regular testing (crisis exercises), communication plans, and decision-making processes are essential.

Conclusion

Cybersecurity rarely delivers a directly measurable ROI. For this reason, decisions regarding security measures and budgets must be made at the management level — based on risk rather than technology.

isolutions supports organisations in making these decisions in a well-founded manner:

  • Through security assessments,
  • Maturity analyses,
  • Zero-trust approaches,
  • and the establishment of monitoring and incident response structures based on the Microsoft security platform.

This helps create transparency about risks, jointly define the acceptable residual risk range, and evaluate the effectiveness of measures.

Control questions help management correctly assess risks. Residual risk will always remain — the key is how much a company is willing to consciously accept.

With our

  • Cybersecurity maturity check,
  • Security governance,
  • and modern security monitoring (SIEM/SOAR, Defender, Sentinel),

we support organisations in this risk trade-off.

Regular reviews are essential to consider new threats and environmental changes. Our continuous security reviews, penetration testing support, monitoring services, and resilience workshops help reduce risks in a targeted way. Relevant metrics are not the number of attacks prevented, but the reduction of expected risk, shorter detection and response times, and increased resilience.

Cybersecurity is not a state but a process. Through recurring risk and control reviews as well as lessons learned, awareness of risks increases. At the same time, it becomes possible to demonstrate how risks evolve over time. Those who understand cybersecurity in this way do not invest «too much», but invest in a targeted and responsible manner in resilience, operational capability, and long-term sustainability.

Contact

Would you like to learn more about cybersecurity?

Markus Kaegi

Business Unit Lead - Cyber Security

markus.kaegi@isolutions.ch
Markus Kaegi

we shape the future

Bern Schanzenstrasse 4c 3008 Bern +41 31 560 88 88 info@isolutions.ch
Basel Güterstrasse 144 4053 Basel +41 31 560 88 88 info@isolutions.ch
Zürich The Circle 38 8058 Zürich +41 31 560 88 88 info@isolutions.ch
Barcelona Carrer de Trafalgar 6,
2a planta, despacho 28 08010 Barcelona +34 936 260 290
© 1999–2026