Getting to the right cybersecurity budget in today’s economic uncertainty
I subscribe to several daily emails focused on business and security news, and not a day goes by without stories about layoffs or other spending cuts due to economic uncertainty, and stories about cybersecurity breaches. Cybersecurity leaders must walk a tightrope – between securing adequate funding to protect the organization and not being tone-deaf to the economic realities their organization faces.
To navigate these waters, CISOs should develop how they articulate the business value of cybersecurity. Here are five ideas on how to do that in preparation for budget discussions.
1. Align with business objectives and risks:
Language: Eliminate technical jargon and acronyms and talk in business terms focused on risk reduction, enabling revenue, resilience, and brand protection.
Quantification: Develop financial estimates for potential threats and the impact of mitigation efforts. Demonstrate the "Value at Risk" for your organization and how your proposed investments can reduce exposure. Work together with Internal Audit and financial leaders to add credibility to this work.
Prioritization: Identify your organization’s crown jewels and the most significant threats to those critical assets. Then focus your budget requests on mitigating the highest impact risks first.
Enablement: Frame your cybersecurity strategy as an enabler of business initiatives, versus defense. For example, deployment of AI, digital transformation, M&A, entry into new markets, and building customer trust are all revenue drivers that are enabled by security.
2. Show the return on investment:
Cost avoidance: Potential financial losses from breaches that are avoided through security measures.
Efficiency: Investments that reduce manual effort, optimize security operations, and potentially lower long-term costs.
Reduced incident costs: Reduction in the cost per incident due to faster detection, response, and recovery times.
Compliance and insurance benefits: Lower cost of compliance, reduction in audit complexity, and potentially obtaining the “non-smoker rate” or higher coverage on your cyber insurance.
Effectiveness: Establish and monitor metrics to demonstrate improvements in areas such as:
Mean Time to Detect and Mean Time to Respond
Vulnerability remediation time
Number and severity of security incidents
Audit outcomes
3. Demonstrate your fiscal responsibility:
Highlight rationalization of tools to eliminate redundancies and underutilized solutions.
Optimize security operations to improve efficiency.
Review vendor contracts to ensure best value.
Prioritize foundational security controls like patch management, identity and access management (IAM), endpoint detection and response (EDR), and robust incident response capabilities – demonstrating you are getting the basics right.
Make your internal budget review the stiffest challenge. Make your internal review of your team’s budget request the harshest review it will face, to ensure anything that could be challenged by leadership has been eliminated. Internal Audit may be able to help here.
4. Communicate, communicate, and communicate:
Educate: Make it an ongoing campaign to inform your leadership on evolving threats and the organization's risk posture. These are smart executives with the best interests of the organization in mind - when they understand the business risk, they will pull appropriate security in, versus you having to push it.
Build allies: Foster trust with key stakeholders, such as the CIO, Internal Audit, General Counsel, and Enterprise Risk. Include them in advance planning so they can help you adjust your request and support you when you get to the budget meeting.
Tell a compelling story using real-world examples, threat modeling, and case studies to illustrate the business impact of cyber measures.
5. Show what falls below the line
Highlight what you will not be able to do: Let your leaders make an informed risk tolerance decision, just as they do in other areas.
By adopting these strategies, cybersecurity leaders can work with their organization’s leaders to fit the right mark for cybersecurity spending based on the risk and economic realities. The key is to shift the perception of cybersecurity from cost center to enabler and protector of revenue.
Hold Fast
Stay True
PS: Thank you for the positive feedback on last week’s shameless family promotion of my brother’s latest novel. I am proud to report that it hit #1 on the New York Times bestsellers list!
