It’s a constant battle between profitable business investments and “unprofitable” security investments to protect the current bottom-line. Despite the headlines, growth-oriented executives tend to prioritise other expenses.
Despite repeated major, high-profile breaches, most cyber security teams still struggle to get sufficient funding.
“After this hack, cybersecurity budgets are bound to increase.” We’ve all thought it. But, curiously, it may not always happen.
An interesting statement recently heard was, “You can pay me today or tomorrow. But tomorrow includes a press release describing that we weren’t proactive in protecting our data and systems.”
In other words, companies can sufficiently fund their cyber security budgets today, or pay after a breach and the accompanying damages and bad publicity.
Based on current cyber budgets, many are “choosing” to pay later.
Another recent comment from a customer was, “It’s absolutely crazy. Every time there would be a major breach, I’d write up lessons learned, and it would just fall on deaf ears. I couldn’t make the message stick.”
This notes that his budget was “extraordinarily tight.” He added, “It’s not just the budget, companies that don’t want to spend money can add huge additional steps to make purchasing onerous, and legal requirements.” It was also noted that not all companies run this way and that his previous role was at a company that properly funded “nearly all justifiable cybersecurity expenses.”
The problem is not necessarily a lacking of funds. Another CISO from a medium to large company commented, “From what I have seen the issue is not necessarily that the money is not there, typically the issue is that security almost always competes with other operational priorities.”
The challenge, then, is to convince the board and executives that cyber security is as important as the latest operational priorities and is necessary to protect current revenues. So, what can a security professional do to get around this odd phenomenon and ensure the funding necessary to protect his or her company from becoming the next Equifax?
1. Speak their language
As an expert, I had to recently tell a CEO about his security risks. But he doesn’t care about most of what I know. He wants the bottom line key points. And he wants to know what he can do about it, and what the likely outcomes are with each of his options.
Cybersecurity experts have a habit of losing their audience and confusing them, often speaking too technically and with too many acronyms. If your board or executives doesn’t understand, they’re going to be more hesitant.
It takes a lot of practice to overcome this. Boards and execs care about business. And they care first about mission-critical operations and bottom-line profits. Cyber risks can threaten those two goals, which are the heart of any organization.
Cybersecurity needs to be treated as a business function. It needs to be presented to boards and executives like any other business function in the organization.
2. Use metrics and visuals
If I’m running a company or on a board, the first question I’m going to ask of any proposal for funds is, “What do I get for that money?” Can you honestly answer that questions?
Imagine the security team is asking you for money. What do you get for that money?
Often, we use metrics like “incidents detected” or “attacks stopped.” Except for the most tech-interested, executives just don’t care. This means nothing to less-technical boards and execs.
Focus on business-oriented metrics. How much monetary loss have your controls prevented? How many dollars are likely to be saved through the investment you’re asking for?
The toughest one, and the most important one for making cyber a business function is how much more resilient will your people and systems be after this investment? With cyber resiliency, there is clear progress. An investment that increases your resiliency by 30% will be much easier to fund than a confusing technical detection platform with unknown results. Although it’s difficult to do, I’m a big proponent of measuring cyber resiliency against a reputable framework like the NIST Cybersecurity Framework.
Also, you need to speak in charts. Executives need simple visuals to show these things. Picture the cliché charts of profits going up. If you can’t do this in-house, then it’s vital that you outsource this. It will pay off later, with increased buy-in and budget.
3. Get outside verification
Sadly, internal security evangelists can be viewed with scepticism. This happened even when I had the reputable weight of the ASD or NIST behind my recommendations.
Dentists say you must floss every day and mechanics say you need an oil change every 3,000 miles, but we all know these are the standards of perfection and that you’ll be ok if you skip a day flossing or wait until 4,000 miles this time. What makes cyber any different?
Another CISO put it best. “Frequently, management doesn’t believe the experts they hire. After failing an audit, then they start to believe.”
For better or worse, an outside opinion carries more weight. Consider outside consultants to analyse your staff and systems before an audit comes up and makes you look bad. It’s ironic but spending money to help your board understand the problem can get you even more money in your budgets.