When we speak with CISOs, it is evident there is not a one size fits all approach to cybersecurity budget planning. There is also no golden standard for how much should be spent on cybersecurity each year. From our conversations with security leaders, these are the top variables impacting cybersecurity spending and budgeting:
Company vision for innovation and growth
Executive and board support of cybersecurity initiatives
Industry
If the company is publicly traded
Compliance and regulatory requirements
Overall IT budget
Any planned organizational changes
BUDGET DISCUSSIONS START WITH COMMUNICATION AND EDUCATION
From our extensive research, we have found that before budget discussions begin, security leaders should ensure they have a strong foundation of communication between themselves and the business leaders within the organization, from each executive to board members.
Communication should be two-way and include education about the value of security and how security may positively impact each department within an organization. By educating business leaders and executives, they feel ownership for the overall security of the company. They gain a sense of investment in ensuring the company remains secure and that they are an active participant in protecting valuable customer and employee data. Once clear and open lines of communication are established, budget discussions become more transparent.
On page 10 of this magazine, Kelly Haydu (Vice President of Information Security and Technology, CarGurus) says, “A lot of times employees might not understand how security ties back to their work or their function. If you can start to talk about how that ties back to the strategic initiatives or the products or programs that they’re running, you’ll get better buy-in. You must form the relationships through something like a roadshow. People that are solely focused on the technology will sometimes fail in that area because they haven’t been able to socialize why their function is important and how it relates to the other business units. So, getting that roadshow going and meeting with other stakeholders is important. Be careful not to give too much information to people in your first meeting, though. Security can be overwhelming to those that have had little to no exposure to it.”
The CISOs we spoke with said these are the best approaches to strengthening communication with executives during budget discussions:
Use business language
Provide clear justification
Demonstrate the positive impact of security initiatives
Discuss simple metrics correlated to business goals
Prepare to share progress and ROI
ALIGNMENT WITH STRATEGY
Taking a proactive approach to setting cybersecurity budgets requires clear alignment with the organization’s strategy to predict and prepare for any budgetary needs. Many security programs get caught up in the unfortunate cycle of putting out fires and often lack the ability to cohesively drive an established budget plan.
While there always tends to be reactive budgetary spend in security to some degree, security leaders who anticipate this, are able to bake it into their budgets. It starts with creating a strong strategy and roadmap, one that identifies areas of strength and weakness, then delineates investments based on a prioritized list.
On page 8, Robert Micillo (CISO, MetroPlusHealth) says, “I think that the most important thing that I’ve done is to provide the executive team complete transparency. I don’t sugarcoat anything. I’m a very transparent person. I want to be completely clear on where we are today, relative to where we need to be, and what some of the dangers are by not addressing specific areas of concern. The aim is to reduce risk to an acceptable level to prevent a breach, so when presenting cost benefit analysis it is often weighed against the cost of breach potential. When you talk about a breach, we need to be cognizant of several things that people don’t easily see. Reputational damage within the industry and fines are top of mind, but what you may not recognize are the costs involved well beyond the framework of government fines. There are residual mitigation costs and consider public confidence—the minute you lose public confidence, you’re losing membership.”
Subscribe
Stay up to date with cyber security trends and more