Most financial teams can agree that the amount of money in a cybersecurity budget will change depending on the size of the organization. According to a study from the Deloitte and Financial Services Information Sharing and Analysis Center, financial services on average spend 10 percent of their IT budgets on cybersecurity or approximately $1,300 to $3,000 per full time employee. Microsoft, on the other hand, invests more than $1 billion. Just as varying as the amount of money allocated towards cybersecurity is who in the company takes responsibility for the funds.

BTI Consulting Group's Cybersecurity & Data Privacy 2020 report recently showed that 46 percent of companies put the legal department in charge of the cybersecurity budget. Nearly a quarter of respondents said the budget is held by IT departments, almost 20 percent in security, seven percent in compliance, and 6.9 percent said it was held by another department.

With laws such as the European Union's GDPR and the CCPA law in effect in the U.S., the trend toward looking to the legal department for cybersecurity oversight is likely to increase. Acting as a liaison between compliance and technology, there are a lot of potential benefits to having the legal team control cybersecurity reserves. However, there are some significant challenges as well.

Below, we take a look at the pros and cons of legal handling the cybersecurity budget, how to mitigate some of the challenges and how to determine which department should ultimately take charge.

Benefits and Risks of Legal Taking Control of Cybersecurity Budgets

Lawyers can protect companies—because they have the jurisdiction to do so. The legal department can act as a voice at the top of the organization and in some cases the security team can do a lot of work under the direction of counsel. Legal can act as a temporary shield and advise security teams on steps to take on informing customers of a potential breach, help mitigate the damages after a breach, and act as an impartial decision maker when diminished cooperation sets in between the security and IT teams.

On the other side of the coin, legal teams do not have an understanding of cybersecurity capabilities or have a native definition of "good." This fundamental lack of experience could prevent them from understanding the pain and challenges faced when defending an enterprise network.

Liability is also a big concern as it can drive the behaviors and associated capabilities of the security team. Visibility in the form of alerting and logging comes to mind. If an alert isn't enabled or a log not sourced, then culpability is lessened, or is it? It's not uncommon for security teams to fight about his topic as it can inhibit them greatly. The poor example is, if the organization does not generate an unnecessary alert, they are "less at risk" (read legal risk) because awareness and inaction is worse than ignorance and inaction. The legal department may consider this more favorably because the company cannot be held responsible if they did not know a problem was there. Conversely, if you have a security tool that constantly alerts, you now have to review that and respond. Now there's culpability. The combination of the emphasis on liability and lack of knowledge serve as reason enough why many organizations decide against legal handling the cybersecurity budget; however, this union will most likely occur in times of major incidents and especially breaches.

The Importance of Legal and Security Being Aligned 

If companies review the pros and cons and decide to have legal take over the cybersecurity budgets, there are conversations that need to occur first. CISOs, CIOs and lawyers have a tendency to speak their own language. Just as a CISO or a CIO would not necessarily understand what goes into an appeal, arraignment or what an exempt asset was, a lawyer does not understand some of the terminology of the cybersecurity space. Even CISOs and CIOs struggle to understand the jargon that comes with their individual territories at times.

The lawyers, CIOs and CISOs need to really make a point to understand and trust each other. They must state their needs in plain language. Cybersecurity and IT teams need to be aligned and articulate their needs accurately to the legal department if they are in charge of the budget. Only then can an organization solve and prevent risks.

When the legal department, which can include chief compliance officers, chief privacy officers and chief privacy counsels, aligns with the security and IT teams, organizations can ensure that data is secure and abiding to all privacy laws. This can help organizations save thousands, or even millions, of dollars in fines from violating laws such as CCPA and GDPR. Just as the security teams can keep legal up to date on the latest threats that might be targeting the organization, legal teams can return the favor by sharing knowledge of new privacy regulations.

The Bottom Line on Cybersecurity Budgets 

What most companies get wrong is that cybersecurity isn't new to anyone today. Breaches have overwhelmed the headlines for years now. Security has to be controlled and looked over at the highest level as opposed to being an ELT afterthought. The legal department and security teams should want to see security as an output of quality. No one wants to work with a company that isn't secure or said plainly, a company they don't trust.

Security as a whole needs to be a corporate mission. Rather than focusing on who holds the actual reserves, look at it as a reporting structure. The budgeting process starts the discussion that the organization is open to new capabilities; which is a product of strategy. The legal department or an outside counsel can serve as an unbiased party to opine on strategy if they are gatekeeper to resources.

Organizations are still finding their way. Companies are spending more money on cybersecurity and still unable to detect and respond to problems in their environments—they are failing. Until we understand the adversary, the threats to the organization, and prioritize security into the culture of an organization, we will continue to joust over cybersecurity budget control

For organizations currently facing the choice of who should allocate the funds of the cybersecurity budget, the legal department is a viable option. Even with some reluctance of legal teams in some areas, the benefit is they are no stranger to obtaining executive support. Their say is final and with it comes the cooperation required to complete the project across the board. The legal department can serve as a reminder of the law to help make the best decisions for the organization. As long as the security and IT teams can align and communicate with the legal department, the organization can succeed in protecting themselves and their consumers.

Stephen Moore has been vice president and chief security strategist of Exabeam, Inc. since August 2017. Moore has more than 15 years of experience in information security, intrusion analysis, threat intelligence, security architecture and web infrastructure design. Prior to joining Exabeam, Mr. Moore spent more than seven years at Anthem, in a variety of cybersecurity practitioner and leadership roles. He served as staff vice president of Cyber Security Analytics at Anthem, Inc. and played a leading role in the response and remediation of the data breach announced in 2015. He has deep experience working with legal, privacy and audit staff to improve cybersecurity and demonstrate greater organizational relevance.