Successful Cyber Budgets And Risk Reduction With Diverse Stakeholders

Growth in business and the need to remain competitive in an increasingly distributed and digital world necessitates working with subject-matter and functional experts both inside and outside of your organization. However, relationships between IT, security and the various internal stakeholders takes time to nurture.

Security leaders are often very technical and comfortable communicating with other technical folks. Similarly, functional department leaders, executives and advisors can be quick to dismiss the value that cyber security brings to advancing the organization’s goals. This challenge is often observed when leaders gather to review and plan budgets.

Multiple stakeholders are involved in the organization’s budget and each has its own perspective of what value security delivers. How can cyber security articulate risk and measure the effectiveness of its spending?

Cyber Budgeting Differs By Size And Type Of Organization

In the traditional IT-based organization, security may receive a capital expenditures (CapEx) budget or it may be managed in a discretionary manner. The level of scrutiny placed on the security budget can also vary. CISOs reacting to this topic suggest that regardless of how your organization budgets, expect the process to change and evolve over time. And there’s no better time than now to prepare and document how the security budget is defined and how you intend to protect those expenditures. Also, as the organization matures and grows, more members of the security team will need to have input into assessing needs.

A government agency executive must demonstrate that budgets for IT and cyber security meet the highest missions needs for the organization. Unlike a commercial business, funding is allocated annually (by the municipal, state or federal legislature) and the organization must operate within the allocation. You cannot go back and ask for more mid-course and the funding cannot be shifted for other purposes. The way to work through this budgeting behavior starts with engaging stakeholders early and often. These engagements help anticipate a variety of scenarios and how to work within the constraints and flexibilities available.

Since 2016, the Department of Homeland Security (DHS) has been the lead agency in the U.S. for helping other federal agencies coordinate cyber security needs. DHS also provided “startup seed money” to the other agencies to jumpstart the cyber investment within organizations. Federal budgeting is often accomplished by taking the previous year’s budget and making adjustments based on agency priorities. Federal executives say challenges occur when trying to get the attention needed for specific agency missions.

See Related: Security Leaders Help Make Sense Of CISO Priorities For The Balance Of 2019

How To Communicate With The Organization’s Stakeholders

The stakeholders within the organization can include executives, advisors, and line of business management. How to communicate effectively with the various stakeholders should be approached with an eye towards understanding the needs of your audience. In many instances, this means how each part of the business values security. Common ground can be found through examination and tracking of key business measures and objectives.

If the organization has adopted the NIST Cyber Security Framework, for example, the risk analysis process helps identify gaps where cyber spending will have the most measurable impact on the organization.

Frequent review of these measurements to discuss the most significant vulnerabilities is a means to build relationships and communications channels with stakeholders. Whether it be the risk, compliance, audit or legal team, cyber risk is consistently defined, measured and reviewed.

Outside of the infrequent budget exercises, security leaders should work to understand how finance reconciles budgeting vs. actual spend. Some security spending areas may be challenging, such as fixed spend vs. on-going spend (common with subscription services).

Finance And Supply Chain As Cyber Targets

Increasingly, organizations are finding attacks increasing beyond the perimeter to include specific roles and responsibilities. Finance and the supply chain, for example, are viewed as functions that interact with monies and sensitive data. Hackers harvesting credentials through a variety of web services will attempt lateral attacks to infiltrate these money centers.

It is important for security leaders to remember that these departments need cyber awareness training as much as, if not more than, other parts of the organization. Security may need to partner with these functions to identify creative and appropriate cyber solutions. Similarly, the departments will find value in understanding the tradeoffs between an IT solution and an objective assessment of the needs of the business.

See Related: Budgetary Foresight: 3 Essential Cyber Security Programs For 2019