As the year comes to a close, CISOs are already deep into building next year’s cybersecurity budget. That’s a difficult task in itself — yet the most challenging part of the process is getting the board’s approval. CISOs know all too well that getting a cybersecurity budget approved can be like trying to explain AP English to a dog: you’re just speaking different languages.
Modern CISOs are charged with protecting their organization from rapidly evolving threats while cybersecurity budgets are shrinking or getting redistributed. Boards still tend to see cybersecurity as a cost center, not something that can increase efficiency within their business. CISOs know the truth, but they need to figure out how to communicate the value of cybersecurity in a language their board can understand.
Here are three tips to win over your board this budgeting season. Done correctly, you’ll have a better chance of securing your budget and making your organization more resilient in a fast-moving threat landscape.
Tip 1: Quantify risk
The first step in building a defensible budget is putting numbers on the risks you’re trying to control. As a CISO, you immediately understand that your organization needs things like enhanced endpoint detection, a zero-trust architecture and a proper security operations center, but when you bring those things up in the budget meeting, the board’s eyes glaze over. It’s not that they are dismissing cybersecurity — they just don’t understand how these technical investments connect to the business outcomes they care about.
That’s why you should use financial terms to quantify your organization’s value at risk. Boards are more likely to accept your budget if they can understand the financial implications of a breach. Of course, this can be a difficult task if you haven’t experienced a breach before. You can start to understand your risk surface by researching your industry’s most common threats and breaches, consulting threat intelligence sources and interrogating your vendors’ cybersecurity postures to understand your third-party risk. You can also gather probability data on a breach through industry reports, government statistics and historical internal incident data.
However, the most accurate and influential approach is to survey your own experts and stakeholders, including them in the quantification process. You can find tools to do this manually or automatically. Using either approach, you can calculate the overall business impact of your risk, including direct financial losses, business interruptions and long-term business and reputation effects.
As an example of what this looks like in practice, take the recent Collins Aerospace breach, which caused heavy disruption and flight cancellations at multiple European airports. Not only were there direct financial losses for affected organizations, but there were also opportunity costs and lost efficiencies: increased engineering hours to get systems back online, pen and paper solutions on the ground to replace automated tasks, and overworked airport staff. Use these atomic, costly events to have the conversation with your CFO on modeling financial impact, imagining if your organization had been affected.
This is a dismal scenario for most organizations, but one that your board should understand the full implications of. When quantifying the risks to your board, you should be prepared to explain the impacts of a worst-case scenario, best-case scenario and most-likely scenario — all in terms of financial losses. Quantifying the full scope of the cascading effects of a breach will help non-technical executives understand the investment required to make your organization resilient.
Tip 2: Go beyond compliance standards
It’s no secret that compliance and regulations drive nearly 80% of CISOs’ budget justifications. Industry standards like HIPAA and SOC2 can offer a guiding framework for a program, but with evolving threats from AI, the rise of quantum computing and increasingly complex third-party risk, CISOs need to think of the threats that compliance doesn’t necessarily mitigate.
If you can, aim for 10% or more of your budget to be allocated to non-compliance risks for a 3-5-year horizon. These double-digit percentages are aspirational; the average CISO has a 3% discretionary budget. This budget does not have to be all net-new spend. For example, generative AI risks are top of mind for CISOs and boards, but dedicated, off-the-shelf tooling is in its very early stages. Existing budget line items, such as Data Security Posture Management, SASE and GRC analyst hours, can decrease risk from threats to generative AI workloads and tooling. Increased investment in these technologies and processes, alongside new ones, builds a solid foundation for your company to efficiently leverage Generative AI on a medium-term horizon and limit net new spending on point solutions. These investments lay the groundwork for your company to scale securely ahead of your competitors, rather than jumping into AI FOMO.
Your board wants to know that you are thinking about the emerging risks and how to address them in your budget proactively. You may not have all of the data on a given risk, but you should still acknowledge it and help the board understand the likelihood of it impacting your organization. As the threat landscape evolves, so should your strategies for making your organization resilient to those risks.
Tip 3: Know thy board
Part of winning over your board has to do with knowing what kind of persuasion tactics drive their decision-making. Boards are getting smarter on cybersecurity; a recent NACD survey found that nearly 80% of boards’ cybersecurity knowledge has improved. Another survey found 85% of companies reported that they either have or are looking for a board member with cybersecurity expertise. Now that boards have a better awareness of the importance of cybersecurity, it’s your turn to meet them halfway and understand what they value from a business perspective.
Some boards are laser-focused on financial metrics and will only look at the dollars and cents of the budget. In that case, it’s essential to communicate in financial terms; they’ll want concrete examples of what the organization stands to lose from the cost of breach-related business interruption. This quantification does more than just justify your budget; it creates a bridge between your security team and business imperatives. Other boards may be more motivated by storytelling. In that case, painting a step-by-step picture of what an attack could look like and the corresponding impacts that go along with it will be most compelling.
In both instances, the budget and conversation defending it should speak the same language as your specific board. Importantly, that level of insight into what the board values can only come from consistent check-ins throughout the year. You should strive to build a relationship, so you aren’t simply a checkbox for the board come budgeting season.
CISOs should bring rigor, clarity and business alignment to security investment decisions. If you can quantify the risks for your board, accounting for emerging risks and understand what they value the most, you’ll better your odds to win over your board this fall.
This article is published as part of the Foundry Expert Contributor Network.
Want to join?
No Responses