As we start December this Tuesday, many in the C-Suite are now planning their budgets for 2021, with the hopes of getting approval for what they are requesting. It is probably the CIO and/or CISO that is facing the biggest pressure of all today in this regard, given with what has been happening COVID19. It doesn’t want to seem to go away anytime soon, and with everybody now WFH, budgets have become even tighter than ever before.
According to a recent research conducted by the Ponemon Institute, security breaches are only getting worse, and are happening with much more frequency. For example, here are some of the highlights of their study:
*88% of all security breaches were caused by some poor level of Cyber Hygiene (thought nobody is pointing fingers in this particular survey);
*16 billion PII datasets were exposed in the first half of 2020 alone, right when COVID19 first hit.
More details on this survey can be found here at this link:
So, what can the CISO do get more money to keep up with the Cybersecurity Threat Landscape? Here are some key tips to keep in mind:
*Understanding where your company is at right now:
This is where are all of the buzzwords such as “Cyber Risk”, “Cyber Resiliency”, “Cyber Posture” all come down to the same thing. Simply put, all of this means what is the risk profile that your company is at? How quickly can you combat a security breach and restore business operations? Well, there are a lot of models and frameworks out there that can help you to accomplish this task (especially that of the NIST), but you need to break this all down to a level that your Board of Directors can understand quickly and easily. Remember, in the end, it is this group of individuals that will give you the ultimate approval for your requested budget. Also, keep in mind that these people will not understand all of the ins and the outs of Cybersecurity like you do. Yea, you can get all fancy with research and terminology, but you need to break this all down to what it means to business and the bottom line. Probably one of the biggest questions that you will have to answer is what king of ROI will your 2021 spend bring to the company? Keep your report simple and easy to understand, with some charts and graphs. If possible, try to keep your final report down to just a couple of pages in order to keep it concise.
*Show the steps as to how you will get there:
There are 5 key takeaways that you will need to prepare in your report, so brevity will be key here. Here is what needs to be included, at a minimum:
*As just described, show where you are currently at in terms of your risk level of being attacked. But rather than showing this as independent number, compare with what you have come up against your competition and other Cyber trends in your industry. So, this will take some deep level research to do on your part, but it will give your Board of Directors a true snapshot of where you stand at the current time.
*Quantify everything you present. Remember, your Board of Directors do not want to hear a one-hour speech on what you are planning to do, they want cold, hard numbers, as also just described. Try to make these as financially related as possible, as that is all they will really care about in the end.
*Always highlight your successes. In the world of Cybersecurity today, unfortunately not much good news comes out into the headlines, it is more or less the bad ones. But there are successes that are happening, and you need to include them in your report as well. In this case, there is no need to get into all of the detail as to what happened on a daily basis, just give a yearly summary with some key statistics highlighting the good your IT Security team has brought to the business. As far as possible, try to balance out the ugly with the good. But of course, if you have not been impacted by a major security breach in the year, then by all means, really highlight that one!!!
*Show your plans. After you have presented where you are at with your Board of Directors, the next step is to present is your plan how to make things better in 2021. It is important to keep in mind that you simply just don’t talk about the kinds of new technologies that you are planning to deploy, but rather, you need to talk about the whole picture. One of the biggest areas in this regard that you will need to address with the Board of Directors is how you plan to further fortify the company’s lines of defenses now that the Remote Workforce is here to stay for quite a long time to come yet. For example, this will be your opportunity to talk about more security training for employees, new plans as to how software patches and upgrades will be done more efficiently, possibly implementing a Zero Trust Framework (if you don’t have one already), possible on prem deployments to the Cloud using either the AWS or Microsoft Azure, etc.
*Quantify as to how things will get better in the next yearly meeting. The bottom line here is that you need to show how your level of Cyber Risk will decrease in value one year from now, and how it will be better than your competition. It all comes down to just one number. If you can show in your report how all of your efforts just talked about can bring this down, then you have a pretty decent chance of getting your budget approved for the upcoming year.
*Prepare your budget:
Now that you have showcased what is going on to your Board of Directors, it is the time to present your budget to them for hopeful approval. True, this will be a gut wrenching and anxiety provoking moment, but keep in mind that you have done the best you can, as the CISO. At this, phase it is important to reiterate to the higher ups that your company will never reach a Cyber Risk level of “0”. It is impossible. But if you can portray steady improvements that should be realized, and how your efforts will lead to a clean up in the level of Cyber Hygiene of your staff and employees, this will carry you even further in this last step of the budget approval process.
My Thought On This
It is not just you, but every CISO in Corporate America will have to endure this process, unless of course, your company has tons of cash on the balance sheet that it can doll out whatever you want. Another key aspect that you will want to highlight to your Board of Directors is just what the average cost of a security breach is to a company these days.
Right now, it is at well over $4 million. This does not even include downtime, the time to recover to mission critical business operations, and indirect costs, such as brand/reputational damage, lost customers, etc. If you can demonstrate how your proposed measures in 2021 will help mitigate your company from experiencing this kind of huge, financial loss, you will be golden for your budget. Finally highlight to them that all of the other unforeseen and indirect costs will cost your company 10X more than just the $4 million. It will be more like $40,000,000.