Cybersecurity budget: an illusion touching you. How to prepare it well...

The MCG (Matias Consulting Group) teams are already on deck for 2024!  Its experts and consultants, support team, sales and back office are working relentlessly to put the coming year projects into place ! Over 20 years' experience and expertise in IT and cybersecurity, based in Belgium, from Louvain-la-Neuve in the heart of Walloon Brabant, dozens of satisfied and protected customers... but never rest on your laurels.


Experts MCG

The MCG (Matias Consulting Group) teams are already on deck for 2024!  Its experts and consultants, support team, sales and back office are working relentlessly to put the coming year projects into place !

Over 20 years' experience and expertise in IT and cybersecurity, based in Belgium, from Louvain-la-Neuve in the heart of Walloon Brabant, dozens of satisfied and protected customers... but never rest on your laurels.

That's why questioning is so important to us, especially at a time of many changes: technological, geopolitical, ethical, environmental, societal and so on.

Once again, we'll have to handle the curve intelligently and insightfully, with agility and creativity.

Digital and cyber can have a far greater impact than you might imagine...

Go beyond the idea of a 'simple' IT and cyber budget, and look further and higher!


The clock is ticking. And it's almost November 2023. Like every year, all companies and organizations are devoting themselves with strength and energy to a customary but sometimes very perilous exercise: the budget!

Let's take a step forward and try to see this budget exercise not as a constraint, but rather as an opportunity for transformation, even more holistically, beneficial for your company and its future.

So, yes, drawing up an IT budget can quickly become an acrobatic exercise. There are so many parameters to estimate and anticipate - and no crystal ball! What's on the menu? Estimating income and sales for year n+1.

All this can be fraught with uncertainty and big questions ...


Micro and Macro influence: finding answers where we only see questions


Risk. It's all about quantifying, assessing and planning risk.

Drawing up an annual budget, whatever the department, reveals fears and uncertainties, because behind it all are the risks that the entrepreneur foresees. But you need to be able to get through it, and to fight yourself in order to aim as accurately as possible…

Risks - whether at microeconomic level first (launch of new products or services, reaction of professional or non-professional customers and consumers to solutions, strategic moves by competitors, … ) or at macroeconomic level next (geostrategic upheavals such as wars, epidemics, new fiscal policy, monetary policy of the Fed or the ECB, various new regulations, ...).

Micro or Macro, entrepreneurs and company directors will not be spared from uncertainty. Weren't you called a tightrope walker? That's why you need to be able to take a step back and look at the big picture - analyze business, cyber, IT and technological trends, and so on. You need to establish an in-depth and ongoing watch of your industry.


Cybersecurity and AI (Artificial Intelligence): may prediction be with us!


Artificial intelligence has the quality of being predictive for certain needs. It's the big trend at the moment, AI in any shape, size and color !

Yes, AI is changing the game in content creation, social networks, analysis and forecasting tools, code creation, even for hacks!

However, the use of AI and its predictive power in this exercise has yet to be confirmed and validated with certainty. So we'll have to resort to good old-fashioned methods.

In the perilous exercise of drawing up IT and cybersec budgets, there is one part that seems simpler: the costs. At first glance, they can be estimated very precisely and linked to income levels.

However, Grégorio Matias, our CEO at MCG (Matias Consulting Group) and senior consultant in cybersecurity, had the opportunity, as part of his university education in economics and then as a company auditor, to make a clear distinction between “expenses" and "investments". And this nuance is very important.


Costs and investments in IT and cybersecurity: investing in the future and having a positive impact on it


Let's explain: in essence, an expense is a cost that is consumed during the year and which does not, at first sight, have a substantial impact on the organization's revenues.

An investment, on the other hand, is investing in the company's capital and future. As the name suggests, an investment enables the future to be financed (not necessarily financially) and it is therefore logical to expect a return, and for it to have a positive and beneficial impact on income (examples: investing in human capital, in a low-energy building, in a low-consumption production machine, etc.).

It is also very important to include the various environmental, societal and good governance dimensions in investments. For example, MCG has not waited for the definition of ESGs (environmental, social and governance criteria) by investing from the start in human and environmental capital.

More than ever, a company must also have a positive impact on society and the environment. We'll come back to this in a later chapter.


"This is not an expense": seeing IT as an investment


A long time ago, in the second half of the 1990s, at the CEBIT trade fair in Hanover (an IT and bureautics trade fair that no longer exists), the Gartner Group gave a lecture comparing the development of 'IT spending' with that of productive investment by large companies.

This graph was quite amazing, because it showed that in these large companies (understood as a large company in terms of size, but also in terms of maturity) the 2 curves were starting to follow the same trend (they were literally merging).

By this time, these mature companies had understood that IT was not just a cost, but a means of improving production, and that it should therefore be considered as a "productive investment" rather than an "overhead".

But let's come back to our own time, and closer to home, let's focus on Belgium and the Small and Medium-sized Enterprises - companies that account for over 90% of employment across all companies in the Kingdom.

Well, even today, in these SMEs, here in Belgium, we are still busy asking ourselves questions and creating a barometer of digital maturity ...

Or rephrased in another way: does a Belgian SME invest in digital as a 'productive' element or as a simple expense?

The concern is that we are more than 20 years later and maturity on this subject is only just starting to develop. While this should be blatantly obvious.


Restoring visibility to Cyber budgets as well as to business applications’


To talk about and have a budget for Cybersecurity, you first need to have a clearly established budget for "IT and Digital". Most companies don't even take this step.

Cybersecurity is generally only a means - albeit an important and indispensable one - of ensuring the continuity of IT and therefore the productive activities of the company or organization. It should therefore be on top of the list.

However, where is this famous … investment budget?

In my experience, establishing the IT budget is quite visible and generous for the "business applications" part, i.e. what we see, or perceive.

On the other hand, when it comes to the more discreet, or shadowy (yet not invisible and useless), often non-existent for the infrastructure or the customer: Cybersecurity, budgets are reduced to a rather frugal part…

Cyber is perhaps less sexy, less flashy, less intuitive, and yet so essential.

So if you're not yet convinced by what we're saying: do the death test.

Shut down your servers and the access to Cloud resources, and turn off your computers. Try the experience of living with IT blocked by an attack or virulent breakdown. In much the same way as if you had to live without electricity or heating. Unthinkable.


The death test: can I live without my IT equipment for several days?


The test is therefore to see whether you are capable of living for several days without this “shortcoming” having an impact on your income, your survival or the way you function as an organization.

If you find it easy to go on living without your IT installations, then congratulations! You've passed the death test!

With no IT budget to worry about, you're well on the way to getting back to good old pen- and-paper habits.

In the opposite case, if you notice that nothing can run smoothly, efficiently and correctly when it comes to IT, then proof by the absurd has just convinced you that an IT budget was necessary.


Your level of cyber security does not depend on IT budget size: it depends on a number of parameters…


It's worth remembering, however, that this IT (or cybersecurity budget) is multifaceted - a small budget doesn't necessarily mean poor protection, and on the opposite a larger budget doesn't necessarily mean invincibility.

The most important thing is to think through and anticipate all the elements that could have an impact on this budget, so a good understanding and the establishment of a register of needs and uses is vital. This register is specific to each company, and some elements may carry more weight than others.

The size of this IT and cyber-security budget therefore depends on a number of factors:

The sector in which you operate: it seems obvious that the more you have digitized your business (or the more you are a pure digital player), the higher the ratio of IT budget to turnover will be.

The risks of impact on your core business being higher.

A catch-up phenomenon: some managers under-invest for years in their IT and Cyber budgets. If your budget has been too low for several years, it will be necessary to step up the budget to make up for lost time (and non-existent investment).

It will be a question of rapidly putting in place corrective measures and an operational deployment of repairs that could require more substantial costs, in the short term and during the update time. 

The cybersecurity implementation to put in place: intrinsically, the cybersec part of the budget specific to your project could also make the total budget vary for the following reasons:

  • You want to achieve the right level of cyber security risk management for your business objectives.
  • You need to meet stringent compliance requirements, such as the implementation of NIS2 regulation.
  • Your external visibility or exposure - you are a prime target for hackers because of the specific nature of your business.
  • Your competitors: you also need to be aware of your competitors' budgets, which may mean a strategic move in your sector/industry that you should align with.  
  • And so on.

In conclusion, IT and cybersecurity budgets are matters that need to be considered with great care and attention, and approached with method and precision.

Every project, every budget is unique, there are no 'standard prices' and no 'ready-to-use' products or services to buy off the shelf.

Bear in mind that these budgets are your guarantee of productivity, efficiency and, above all, resilience in the marketplace.

So even if you feel that this represents a cost, think of it as the assurance that you will be able to work efficiently, peacefully and sustainably without having to live with the fear of the risk of a hack, ransomware or attack. And if you still have doubts - remember the possible consequences of the famous 'Death Test'...

The Belgian experts and consultants at MCG - Matias Consulting Group (, with their dual expertise in digitisation, cybersecurity and business understanding, are on hand to help you tackle this critical exercise.


Cybersecurity budget: an illusion touching you. How to prepare it well...

Tell us about your needs

Let's assess your Cyber Security together

Thank you for your message, we’ll contact you very soon! Fill all fields Error when creating request. Please try again