The CISO challenge of budgeting

The CISO challenge of budgeting

As a result of the impact that COVID-19 has had on businesses, CISOs are under more pressure than ever to make informed decisions on where they invest their budget. Dietrich Benjes, VP and GM APAC, Qualys, explains why CISOs need to conduct a thorough assessment of their current security posture and evaluate how security can contribute to business objectives and priorities, in order to manage their budget accordingly.

The primary role of a CISO is to protect the business, its people and its data, but this doesn’t mean purely acting in ‘defensive’ mode. In fact, a growing part of a CISO’s responsibility is to find ways to actively support and contribute to wider business priorities.

According to Gartner, over 30% of a CISO’s effectiveness will be directly measured on their ability to create value for the business by 2023. This means CISOs must increasingly plan and manage their operational budgets with this type of value creation top of mind.

From the work my team and I do with rapidly expanding businesses across Asia Pacific, there are a few key points a CISO needs to remember when it comes to budgeting:

Solidify and expand relationships with other departments

Where possible, demonstrate how your budget decisions link directly to how your business generates revenue or accomplish other business goals such as operational efficiency. This establishes you as a business partner and cybersecurity as a business enabler, rather than a cost centre. Does it align with the business plan, protect existing revenue sources and have controls in place for newly created revenue streams from new products, acquisitions or new locations?

Alongside this, look at how to demonstrate your business acumen as well as your technology expertise. Wherever possible, you should explain cybersecurity risks based on business impact and use business language and risk profiles to find ways to enable new initiatives while minimising those potential issues over time.

Taking this risk-based approach does require you to develop strong relationships with multiple business functions within an organisation. This involves finding common ground to start with and then using these joint concerns to engage in a consultative manner on ways security can help. By starting with business concerns, you can link your budget spend to results.

Take stock of what you have

A typical approach to allocating budget will start with your most important priorities. However, to deliver this, your priorities have to be accurate. The budget cycle should start with an assessment of company assets and risks, and an accurate overview of your IT assets and resources too. Understanding the most critical assets for the business will ensure they are assigned adequate protection, but you also have to know everything is in place.

The assessment findings will be integral for your budgeting planning and recommendations. For instance, it’s still quite common to find companies that don’t have accurate IT asset inventories, or that lack key mitigation elements such as anti-phishing training, cybersecurity indemnity contractual clauses with business partners, cyber insurance coverage and crisis management framework.

An effective budget must also include allocations for security training and culture development, so that every employee values it. Security culture means getting all employees to be part of the company’s security and risk posture and to engage in secure behaviour. These investments should also recognise role model employees in compliance and incident reporting.

Skills and automation

One of the best investments any CISO can make is in skilled people. With the market skills gap, it’s very difficult to acquire and retain talented security professionals. As a result, you should invest in developing your existing employees as much as possible, as well as maintaining a culture which retains them.

You should look at how to automate and make your staff more effective. Security teams can’t operate in stressful environments, so helping your team be more efficient will make their lives easier and also deliver better security overall. As you analyse potential investments, consider not only how much they cost, but also how much they could save.

Taking away manual process steps with automation also links back to the cultural side too. Building a high-performing security team in-house does require investment, but it is better to develop your people who already know the company and its business.

Set your budgets accordingly

Under the current challenging circumstances, cybersecurity budgets are predicted to remain at best, steady. Consolidating your suppliers can help deliver more with less, particularly by reducing the proliferation of point solutions to problems. Over time, vendors launch more complementary offerings to market, which can help you rationalise some of your security vendors down, resulting in significant cost savings.

For example, you can move to a shorter quarterly budget review, rather than annual reviews. This will help you focus efforts and resources more precisely to where they are needed. If a vendor is not delivering enough value, you can make a decision faster.

From an investment standpoint, executives and board directors expect value for money. You should always align the business to the right level of security investment versus the risk to business impact and likelihood, based on business risk appetite.

Meaningful metrics

All budgets have to be reviewed over time and all cybersecurity teams should report to the executive leadership team on their results. To make this effective, consider how to design meaningful metrics which demonstrate your contribution to business value creation as well as security risks managed. This should ensure that you have proper monitoring of your cybersecurity operations for continuous improvement, but also that you receive support in the future.

To summarise, CISOs need to conduct a thorough assessment of their current security posture and evaluate how security can contribute to business objectives and priorities. This will lead you down the right path for prioritising and managing your budget.

Click below to share this article

Browse our latest issue

Intelligent CIO APAC

View Magazine Archive