A running theme in my latest book, “You Can Stop Stupid,” is that security professionals don’t get what they need; they get what they deserve.
Security teams generally have a pretty clear idea of how much they need to spend to adequately protect their organizations. How they justify that need determines what they deserve. I’ve seen chief information security officers (CISOs) — and their functional equivalents in smaller firms — present steller budget requests with strong business cases and get enough to pay for some “nice-to-have” items. They deserved to get more than they actually needed.
Unfortunately, more often than not, technical types make poor business cases for security programs and, as individual professionals, deserve to get less than they actually need. The result, unfortunately, is that the organization is the loser, along with the CISO personally.
As a CFO, what you need to see is that financial resources are used appropriately and that funding for any project provides a return on investment to the organization. You are also very likely not an expert on current security technologies and best practices, nor do you need to be. So when your CISO or security provider puts together a budget proposal and brings it to you and the rest of the leadership team for approval, it matters how that request is presented.
I’ve found that many, if not most, security leads present their budgets based on logistical and technical concerns, with no business case. They tend to take a previous budget and request an increase based on some arcane formula they figured out, then tack on money for additional tools that they justify by the need to adapt to evolving threats.
I know you hear a lot that attackers are focused on small-to-midsize companies and are all about taking your money. Well, it’s true. The most recent Verizon Data Breach Investigations Report, a well-respected source of cybersecurity insights, shows that more than 70% of cyberattacks are aimed at small businesses, and 86% of breaches are financially motivated.
However, security leads rarely move beyond the scary headlines and talk about specific real or credibly possible losses that the requested increase in budget will mitigate. They don’t calculate potential increases in operational efficiency. They are in a tactical and reactive mindset, not a strategic one. This is somewhat understandable given the stressors of their jobs, however, without a strategic case based on a cost/benefit argument, your security team or provider will not get the budget it actually needs.
You might respond that if the CISO is not skilled at justifying which security expenditures are appropriate for the company, that’s not your problem — it’s not like you have extra money. That additional (unsupported) budget request is asking for cash that's being used productively elsewhere.
To that I say, your security posture is weaker than it could be, and you may be losing more money than you realize. There have obviously been some devastating cybersecurity attacks. But more frequently, I see organizations suffer death by the proverbial thousand cuts, with dozens or hundreds of smaller losses adding up to a major hit. Smaller losses — random virus incidents that corrupt PCs and cost productivity, lost USB drives that might require a disclosure and phishing attacks that trick users into sending scammers money or data — usually cost relatively little to mitigate, but they add up to significant costs over the course of a year.
CISOs who know how to make a good business case identify the major cybersecurity concerns of their organizations, make realistic assessments of risk and map those to the loaded cost of required countermeasures.
More importantly, they talk about the money, time and reputational savings resulting from their efforts. For every countermeasure requested, they will have a return on investment, even if it is a broad discussion about potential losses or fines mitigated. Business-minded security leaders make it easy for you to give them what they need.
If that’s not your reality, my advice is to assign a finance team member to work with your CISO or provider on the budget request. Or heck, do it yourself. I promise you’ll learn something.
I also get that this is not your job. But by walking through a draft budget and helping justify what has been requested, and determining if there are positions or technologies that they believe they need but didn’t even request, you’re ultimately saving yourself money.
Sample discussion questions could include:
Eventually, you might begin a program where you conduct a similar exercise with all department heads, but my advice is to start with the CISO. These professionals are typically at a disadvantage in that they rarely have the business experience of their operations or sales peers. A little coaching on your part will help the person charged with protecting your company understand the importance of attaching a return on investment to all requests.
In a future column, I’ll talk about how much a company should be spending on security at various stages of growth. I specifically don’t want to do that here, because starting with a recommended budget creates the very problem I’m trying to address. You need to figure out which countermeasures you need based on your own reality, then work out a realistic budget.
The more you help your hard-working security pros deserve what they need, the more savings your organization will realize from minimizing cybersecurity incidents.
Ira Winkler, CISSP is CISO for Skyline Technology Solutions and author of “You Can Stop Stupid.” By day, he performs espionage simulations and assists organizations in developing cost-effective security programs. Ira won the Hall of Fame award from the Information Systems Security Association, as well as several other prestigious industry awards. CSO Magazine named Ira a CSO Compass Award winner as The Awareness Crusader.
Ira is also author of “Corporate Espionage,” the bestselling “Through the Eyes of the Enemy,” “Advanced Persistent Security,” “Spies Among Us” and “Zen and the Art of Information Security.” He writes for a variety of industry publications and has been a keynote speaker at most major information security events.
Ira began his career at the National Security Agency and went on to serve as president of the Internet Security Advisors Group, chief security strategist at HP Consulting, and director of technology of the National Computer Security Association. He was also on the graduate and undergraduate faculties of the Johns Hopkins University and the University of Maryland.