7 Keys to CISO Budgeting

Building the cyber security business case

Add bookmark
Seth Adler
Seth Adler
10/06/2020

Solely technology technicians no more, the evolution of the Chief Information Security Officer has found the position to be a present day business enabler. The executive in question has gone from leading the Department of No to the Department of Know is just a few short years.

This year’s budgeting season is like no other. Some say it is longer, some say it is shorter. Per the initial results for the upcoming Year End Spend & Trends Report (take the survey), some are expecting to spend more and some are planning for three-year cuts of 20%. Boards are aware that for whatever reason there was unplanned cyber security spend in 2020. 1/3 of current respondents spent most of their budget on allocating to the immediate needs associated with immediately migrating to a distributed workforce.

So this year’s budgeting preparation should be like no other. The Cyber Security Hub community has collectively shared how to approach budgeting. We have come away from those conversations with Seven Keys to CISO Budgeting,they include:

  1. Weave the 2020 narrative.
  2. Controlling new and coming risks associated with the continuous distributed workforce.
  3. Identifying the long tail of investments and cost savings up front.
  4. Regulatory requirements as budget line item imperatives.
  5. Utilizing Threat Intelligence as a leading indicator of the budget you need now and will need in the future.
  6. Quantifying the value of customer trust.
  7. Replacing fear and doubt with delivering on enterprise mission and goals.

Let us take a look at each of these pointers in detail

With more than 140,000 members, Cyber Security Hub is the vibrant community connecting cyber security professionals around the world.

  1. Weave the 2020 narrative

    COVID-19 most likely affected your budget in some way. Tie the spend back to past budget conversations. Have you suggested spend in the past that would have cost less when you suggested it?  Either way, share the continuing spend associated with that initial hit and how that continuing spend is less now than it will be later.

  1. Controlling new and coming risks associated with the continuous distributed workforce

     The distributed workforce- in some shape or form- is here to stay. Preparing now for your SASE future is cogent business practice. Building you are your Zero Trust architecture now is table stakes. Where are you along the Zero Trust continuum

  1. Identifying the long tail of investments and cost savings up front

    Now more than ever, the Board is ready to hear how about your budget elasticity. What hidden long-term value does the enterprise receive through an investment now? In addition, what are the hidden long-term costs associated with that same investment. You might need a new analyst to operate new technology that will replace old technology and an older retiring analyst- but that new technology will need a second analyst in 12 months. Mapping the money in and money out of the systems and talent can help to showcase for the need for the investment to be made now.

  1. Regulatory requirements as budget line item imperatives

    While it is best to plan now for upcoming regulations, or even upcoming guidance- there are of course regulations on the books to which you should have budget allocated. But that regulatory conversation should be part of the bigger picture cyber security forward facing, detect-leaning posture narrative.

  1. Utilizing Threat Intelligence as a leading indicator of the budget you need now and will need in the future

    How is your threat intelligence? Are you receiving feeds from collaborative industry sources? Have you checked-in with government sources? How are your analysts evaluating your feeds? Are those feeds automated, throwing only exceptions to your best and brightest talent?

    Beyond those questions, how can you read your feed tea leaves in a way that justifies budget for where you will need to be in three and six months. Threading the needle on how much to spend when is the art part of your budgeting science.

  1. Quantifying the value of customer trust

     It is difficult to quantify reputational loss. However, there are examples out there. What was the stock price drop of Capital One and Target respectively? What was the revenue and profit hit in those quarters? How much additional immediate cyber security spend happened as a result. These are hard numbers that you have already probably quoted in budgeting meetings. But did the conversation resonate with the Board? Did they understand the full potential impact to the enterprise?

    The two companies have taken two different turns since the respective breaches. How much has consumer confidence played into the ultimate long-term fortune of each company?  

  1. Replacing fear and doubt with delivering on enterprise mission and goals

    But do not lean on fear and doubt- cyber security executives have been doing that for years.

    Do your homework. Know the mission of the company like the back of your hand. Know the goals that the company has and is building. And build your budget to speak to that mission and help deliver those goals. Discuss with organization business leaders what is in the way of them delivering on that mission and those goals, and envision what cyber security can do to help.

Cyber Security Business Enablement 

If the finance team doesn’t work as quickly as it did due to unending privilege access issues, a new PAM solution could lead to time and cost efficiencies.

If the marketing team is having trouble accessing the same reports they could when they were on prem, a new IAM solution could lead to quicker time to market.

Begin with the end in mind 

But building a complete zero trust architecture now while planning for your SASE future could provide more long-term value for the enterprise. If you amortize a budget that immediately speaks to the mission of the company while delivering on its current goals you are enabling the business at a lower total cost with a higher ceiling for the resilience of the enterprise.