Happy Sunday, everybody!!! It is hard to believe that half of the month is already over, and that we have a new Presidential Administration coming on board in just a matter of a three days. Where has the time gone? Who knows.
But anyways, as we start to chip away at the start of the New Year, there is one thing that will be at the top of mostly everybody’s mind that is money. People have already started to get their 2nd round of funding, and now there is talk of the soon to be Biden Administration of pumping even more money into the economy.
Of course, there is always the talk of who is going to pay for all of this, as it will for sure blow up our deficit even more. But for right now, it is a matter of pure survival for all of us at the present time, and that is what we need to be remain focused on. Hey, but I will take free money if I can get some LOL. But there is another group of people out there where money is really going to be a huge concern. And that is the CISO.
Although I have heard of some budgets starting to loosen up a little bit, there are still many businesses out there where this is still a hotly debated topic. Obviously, the CISO needs the critical funding in order to not only fight off the Cyber threats that are out there, but even to keep their job as well (the average tenure now of a full time, direct hire CISO is at about 16 months now).
So, how does the CISO go around asking their bosses (especially the Board of Directors) for more money? Well, here are three tips one can use, and are as follows:
*Understanding what Cyber Risk is:
When one is asked what this exactly means, everybody will say something different. The primary reason for this is that there are so many things that can go into calculating this, it can truly be even a nightmare of where to figure of just what where to get started. For example, there are both quantitative and qualitative that need to be taken into consideration. Also, it is not just the digital assets that have to be taken into account, but even the physical based ones as well. Not to mention, but there are also a lot of Frameworks that are out there to help you to guide in the process of figuring out where your level of Cyber Risk is at. But very loosely out, it defined how much tolerance your business can take (in terms of downtime) until it starts to get negatively impacted. Of course, there are the different pieces of the puzzle to this, and obviously those assets that are deemed to be the most vulnerable (and more of them) will produce a much lesser level of tolerance. Then, there is the second part of this, in which one you more or less know what your level of Cyber Risk, what are your plans to do bring it down? But believe it or not, as a shameless plugin for myself, I am actually in the process of writing a book on this whole thing. A lot of your questions and needs for guidance will be addressed in it. But the bottom line is with all of this is that once you are prepared to report to the Board of Directors on this topic, be as succinct as you can, without going into all of the nuts and bolts as to how you figured it out. Honestly, they don’ really care about this, all they want to know that level of Cyber Risk, and what it means to the bottom line.
*Justifying your spend:
This is obviously one of the first questions that the Board of Directors will ask you about. For example, if you are pitching that you need XYZ amount more than the previous year, then you have to present to them how that new is going to spent not only fight off any security breaches, but also, how will it bring down your current level of Cyber Risk. One way to get started with this process is to conduct an inventory of all of the security tools and technologies that you have in place, and where they are currently being placed at. More than likely, you will discover that you have a lot more that what you really need to have in place. This not only puts an extra burden upon your IT Security staff to have to filter through all of the false positives, but it also increases the attack surface for the Cyberattacker to further penetrate into, and your ROI will be a lot lower as a result. So with this information that you have in hand, you can now reposition those security tools and technologies into where there are needed the most, thus alleviating all three “strains” as just previously described. But another huge benefit of going through this process is that you can tell your Board of Directors into exactly how where the money will be spent, and how that will overall greatly improve your level of Cyber Resiliency (yes, another buzzword). By taking this kind of approach, you will have a greater chance of getting your new budget to get approved.
*Always equate to Cybersecurity to Economics:
As mentioned, numerous times throughout this blog, your Board of Directors only care about what an increased investment into your budget will mean to the bottom line of your company, and how long it will take until a positive return is garnered is garnered on this extra spend. Of course, Cybersecurity is complex, and its not like hiring a sales team (for example, “Sales should increase by X% if I hire X amount of new sales reps). It can take quite some time until the benefits outweigh the costs, or at least come to some break even point. But whatever approach your take, you need to equate that with Economics. For example, the Board of Directors is not going to care about how a brand-new Router will work, but what do want to know is how much it will cost. So wherever possible, always try to equate a dollar figure for where you want to spend, along with the expected time for a positive ROI to be achieved. Ow while you may need to have this line-item breakdown for each and every dollar spend, just present the holistic findings to the Board of Directors. So for example, you can state something like “I will XXX amount of dollars to migrate from an On Prem solution to one that is based in the Cloud, and it will be XXX amount of months for a positive ROI to be achieved”. In this regard, always state things in the lowest timeframes possible. So in our example, that is why I used the term “months” and not “years”. Also, it is equally important to show to the Board of Directors as to how all of these costs will be tracked, over a certain period of time. Also, another bonus for you is if you can get an accounting firm to actually verify all of this as time elapses.
My Thoughts On This:
One other item to keep in mind is that your Board of Directors may want you to present various “What If Scenarios”, in addition to presenting the static numbers at hand. While Excel is a good tool to this, it can be very time-consuming process, and mistakes can thus be made very easily.
Therefore, you may want to consider using an AI or ML tool to help you do this, as they can calculate and present all of this kind of information on a real time basis.
Also, remember the days of hiring the traditional, six figure salary CISO are now almost gone. Instead, many companies are now opting for what are known as “vCISOs”’. This is where you hire an external, third party to be your CISO, but for a fixed time frame and fixed fee.
The primary advantage of this is of course the cost savings that are involved. Also, many of these vCISOs can also speak about the economics of Cybersecurity as well. If you do decide to go this route, make sure to vet one out that can truly meet your needs, especially when it comes to presenting the case of getting more money.