Article originally published on CSO Online, written by CyberSaint Co-Founder Scott Schlimmer
Despite repeated major, high-profile breaches, most cybersecurity teams still struggle to get sufficient funding. “After this hack, cybersecurity budgets are bound to increase.” We’ve all thought it. But, curiously, it may not always happen. It’s a constant battle between profitable business investments and “unprofitable” security investments to protect the current bottom-line.
Despite the headlines, growth-oriented executives tend to prioritize other expenses.
According to Russ Verbofsky, CIO and CISO at the New Mexico Department of Game and Fish, “You can pay me today or tomorrow. But tomorrow includes a press release describing that we weren’t proactive in protecting our data and systems." In other words, companies can sufficiently fund their cybersecurity budgets today, or pay after a breach and the accompanying damages and bad publicity.
Based on current cyber budgets, many are “choosing” to pay later.
A former CISO of a large, Fortune 500 company, who asked to remain anonymous, outlined this phenomenon in detail. “It’s absolutely crazy. Every time there would be a major breach, I’d write up lessons learned, and it would just fall on deaf ears. I couldn’t make the message stick.”
The CISO notes that his budget was “extraordinarily tight.” He added, “It’s not just the budget, companies that don’t want to spend money can add huge additional steps to make purchasing onerous, and legal requirements.” The CISO also noted that not all companies run this way, and that his previous CISO role was at a company that properly funded “nearly all justifiable cybersecurity expenses.” The problem is not necessarily lack of funds. Another CISO from a medium to large US state commented, “From what I have seen the issue is not necessarily that the money is not there, typically the issue is that security almost always competes with other operational priorities.”
The challenge, then, is to convince your board and executives that cybersecurity is as important as the latest operational priorities and is necessary to protect current revenues. So what can a security professional do to get around this odd phenomenon and ensure the funding necessary to protect his or her company from becoming the next Equifax?
1. Speak their language
When I worked for CIA and advised the White House on terrorist threats, I learned I had to change my presentation style when writing for the President of the United States (POTUS). The same goes for pitching security to a board and executives.
As an expert, I had a lot to tell POTUS. But POTUS doesn’t care about most of what I know. He wants the bottom line key points. And he wants to know what he can do about it, and what the likely outcomes are with each of his options.
Cybersecurity experts have a habit of losing their audience and confusing them, often speaking too technically and with too many acronyms. If your board or executives doesn’t understand, they’re going to be more hesitant.
It takes a lot of practice to overcome this. Boards and execs care about business. And they care first about mission-critical operations and bottom-line profits. Cyber risks can threaten those two goals, which are the heart of any organization. Cybersecurity needs to be treated as a business function. It needs to be presented to boards and executives like any other business function in the organization.
2. Use metrics and visuals
If I’m running a company or on a board, the first question I’m going to ask of any proposal for funds is, “What do I get for that money?” Can you honestly answer that questions? Imagine the security team is asking you for money. What do you get for that money? Often we use metrics like “incidents detected” or “attacks stopped.” Except for the most tech-interested, executives just don’t care. This means nothing to less-technical boards and execs. Focus on business-oriented metrics. How much monetary loss have your controls prevented? How many dollars are likely to be saved through the investment you’re asking for? The toughest one, and the most important one for making cyber a business function, is how much more resilient will your systems be after this investment? With cyber resiliency, there is clear progress.
An investment that increases your resiliency by 30% will be much easier to fund than a confusing technical detection platform with unknown results. Although it’s difficult to do, I’m a big proponent of measuring cyber resiliency against a reputable framework like the NIST Cybersecurity Framework. Also, you need to speak in charts. Executives need simple visuals to show these things. Picture the cliché charts of profits going up. If you can’t do this in-house, then it’s vital that you outsource this. It will pay off later, with increased buy in and budget.
3. Get Outside verification
Sadly, internal security evangelists can be viewed with skepticism. This happened even when I had the reputable weight of the CIA behind my recommendations. Dentists say you have to floss every day and mechanics say you need an oil change every 3,000 miles, but we all know these are the standards of perfection and that you’ll be ok if you skip a day flossing or wait until 4,000 miles this time. What makes cyber any different?
Another Fortune 500 CISO put it best. “Frequently, management doesn’t believe the experts they hire. After failing an audit, then they start to believe.” For better or worse, an outside opinion carries more weight. Consider outside consultants or a platform like CyberStrong to analyze your systems before an audit comes up and makes you look bad. It’s ironic, but spending money to help your board understand the problem can get you even more money in your budgets.
Scott Schlimmer is a former CIA officer & Co-Founder of Cybersaint Inc., whose CyberStrong™ software manages cybersecurity as a business function, measures cybersecurity strength against the NIST Cybersecurity framework, and uses AI to recommend how to get the most cybersecurity improvement for the least investment.