7 Significant Keys To CISO Budgeting

In the modern-day landscape of business and cybersecurity, the position of Chief Information Security Officer has evolved significantly in regards to the complexity of its duties. Today, the aforementioned executive position has gone from leading the “Department of No to the Department of Know in just a few short years. This year’s budgeting season is like no other. Some say it’s longer, some say it’s shorter. Per the initial results for the upcoming Year End Spend & Trends Report (take the survey), some are expecting to spend more and some are planning for three-year cuts of 20%.” Many boards are well aware that for whatever reason there has been an unplanned increase in spending on cybersecurity throughout 2020.

Around 1/3 of current respondents claimed to have spent the majority of their budget on the allocation of immediate needs associated with immediately migrating to a distributed workforce. Taking this into account, this year’s budgeting preparation should be like never before. While the Cyber Security Hub community has analyzed and discussed how to approach budgeting, here are some key points from those insightful conversations that make up 7 Keys to CISO Budgeting.

1. Weave the 2020 narrative

It is almost certain that the COVID-19 pandemic likely affected your organization’s budget in some way or another. The recommended approach here is to

“Tie the spend back to past budget conversations. Have you suggested spend in the past that would have cost less when you suggested it?” Either way, you should share the continuing spend associated with that initial hit and emphasize how that continuing spend is less now than it will be in the future.

2. Controlling new and coming risks associated with the continuously distributed workforce

The distributed workforce, regardless of the specific shape or form it comes in, is here to stay. That means that “preparing now for your SASE future is cogent business practice. The building you’re your Zero Trust architecture now is table stakes.” It’s important to understand and build upon where you are along the Zero Trust continuum?

3. Identifying the long tail of investments and cost savings upfront

Perhaps now more than ever before, the board is prepared to hear about your budget elasticity. This brings into question, “What hidden long-term value does the enterprise receive through an investment now? And what are the hidden long-term costs associated with that same investment? You might need a new analyst to operate new technology that will replace old technology and an older retiring analyst- but that new technology will need a second analyst in 12 months.” Being able to map the money in and out of the systems and talent can help to showcase the need for the investment to be made now.

4. Regulatory requirements as budget line item imperatives

While it is typically best to plan for upcoming regulations at the present time, there are obviously certain regulations on the books to which you should have the budget allocated towards. That being said, “regulatory conversation should be part of the bigger picture [of] cybersecurity forward-facing, detect-leaning posture narrative.”

5. Utilizing Threat Intelligence

Understanding the importance of threat intelligence is becoming increasingly important. Some questions to consider are: “Are you receiving feeds from collaborative industry sources? Have you checked-in with government sources? How are your analysts evaluating your feeds? Are those feeds automated, throwing only exceptions to your best and brightest talent?” In addition to those questions, it’s important to discuss how you can read your feed tea leaves in a way that justifies the budget for where you’ll need to be in three and six months. Threading the needle precisely and accurately on how much to spend and when would be the optimal time to do that is a major facet of budgeting.

6. Quantifying the value of customer trust

It’s definitely difficult to quantify the reputational loss. But there are examples out there. What was the “stock price drop of Capital One and Target respectively? What were the revenue and profit hit in those quarters? How much additional immediate cybersecurity spend happened as a result. These are hard numbers that you have already probably quoted in budgeting meetings. But did the conversation resonate with the Board? Did they understand the full potential impact to the enterprise? The two companies have taken two different turns since the respective breaches. How much has consumer confidence played into the ultimate long-term fortune of each company?”

7. Replacing fear and doubt with delivering on enterprise mission and goals

Rather than falling victim to the fear and doubt that is plaguing many companies and top executives, the ideal approach is to simply do your homework from a research and awareness standpoint. You should “know the mission of the company like the back of your hand. Know the goals that the company has and is building. And build your budget to speak to that mission and help deliver those goals.” Start a discussion with your organization’s business leaders regarding the future of cybersecurity and measurable goals going forward.

Taking a deeper look into the business side of cybersecurity, if the finance team doesn’t work as quickly as it did due to unending privilege access issues, “a new PAM solution could lead to time and cost efficiencies. If the marketing team is having trouble accessing the same reports they could when they were on-prem, a new IAM solution could lead to quicker time to market. Begin with the end in mind But building a complete zero trust architecture now while planning for your SASE future could provide more long-term value for the enterprise.” If you reduce a budget that immediately speaks to the mission of the company while delivering on its current goals, you are “enabling the business at a lower total cost with a higher ceiling for the resilience of the enterprise.”