Request Demo

How to Sell Cybersecurity to Your Executive Team


Article originally published on CSO Online, written by CyberSaint Co-Founder Scott Schlimmer

Despite repeated major, high-profile breaches, most cybersecurity teams still struggle to get sufficient funding. “After this hack, cybersecurity budgets are bound to increase.” We’ve all thought it. But, curiously, it may not always happen. It’s a constant battle between profitable business investments and “unprofitable” security investments to protect the current bottom-line. 

Despite the headlines, growth-oriented executives tend to prioritize other expenses.
According to Russ Verbofsky, CIO and CISO at the New Mexico Department of Game and Fish, “You can pay me today or tomorrow. But tomorrow includes a press release describing that we weren’t proactive in protecting our data and systems." In other words, companies can sufficiently fund their cybersecurity budgets today, or pay after a breach and the accompanying damages and bad publicity.

Based on current cyber budgets, many are “choosing” to pay later.

A former CISO of a large, Fortune 500 company, who asked to remain anonymous, outlined this phenomenon in detail. “It’s absolutely crazy. Every time there would be a major breach, I’d write up lessons learned, and it would just fall on deaf ears. I couldn’t make the message stick.”

The CISO notes that his budget was “extraordinarily tight.” He added, “It’s not just the budget, companies that don’t want to spend money can add huge additional steps to make purchasing onerous, and legal requirements.” The CISO also noted that not all companies run this way, and that his previous CISO role was at a company that properly funded “nearly all justifiable cybersecurity expenses.” The problem is not necessarily lack of funds. Another CISO from a medium to large US state commented, “From what I have seen the issue is not necessarily that the money is not there, typically the issue is that security almost always competes with other operational priorities.”

The challenge, then, is to convince your board and executives that cybersecurity is as important as the latest operational priorities and is necessary to protect current revenues. So what can a security professional do to get around this odd phenomenon and ensure the funding necessary to protect his or her company from becoming the next Equifax?

1. Speak their language

When I worked for CIA and advised the White House on terrorist threats, I learned I had to change my presentation style when writing for the President of the United States (POTUS). The same goes for pitching security to a board and executives.

As an expert, I had a lot to tell POTUS. But POTUS doesn’t care about most of what I know. He wants the bottom line key points. And he wants to know what he can do about it, and what the likely outcomes are with each of his options.

Cybersecurity experts have a habit of losing their audience and confusing them, often speaking too technically and with too many acronyms. If your board or executives doesn’t understand, they’re going to be more hesitant.

It takes a lot of practice to overcome this. Boards and execs care about business. And they care first about mission-critical operations and bottom-line profits. Cyber risks can threaten those two goals, which are the heart of any organization. Cybersecurity needs to be treated as a business function. It needs to be presented to boards and executives like any other business function in the organization.

2. Use metrics and visuals

If I’m running a company or on a board, the first question I’m going to ask of any proposal for funds is, “What do I get for that money?” Can you honestly answer that questions? Imagine the security team is asking you for money. What do you get for that money? Often we use metrics like “incidents detected” or “attacks stopped.” Except for the most tech-interested, executives just don’t care. This means nothing to less-technical boards and execs. Focus on business-oriented metrics. How much monetary loss have your controls prevented? How many dollars are likely to be saved through the investment you’re asking for? The toughest one, and the most important one for making cyber a business function, is how much more resilient will your systems be after this investment? With cyber resiliency, there is clear progress.

An investment that increases your resiliency by 30% will be much easier to fund than a confusing technical detection platform with unknown results. Although it’s difficult to do, I’m a big proponent of measuring cyber resiliency against a reputable framework like the NIST Cybersecurity Framework. Also, you need to speak in charts. Executives need simple visuals to show these things. Picture the cliché charts of profits going up. If you can’t do this in-house, then it’s vital that you outsource this. It will pay off later, with increased buy in and budget.

3. Get Outside verification

Sadly, internal security evangelists can be viewed with skepticism. This happened even when I had the reputable weight of the CIA behind my recommendations. Dentists say you have to floss every day and mechanics say you need an oil change every 3,000 miles, but we all know these are the standards of perfection and that you’ll be ok if you skip a day flossing or wait until 4,000 miles this time. What makes cyber any different?

Another Fortune 500 CISO put it best. “Frequently, management doesn’t believe the experts they hire. After failing an audit, then they start to believe.” For better or worse, an outside opinion carries more weight. Consider outside consultants or a platform like CyberStrong to analyze your systems before an audit comes up and makes you look bad. It’s ironic, but spending money to help your board understand the problem can get you even more money in your budgets.

Scott Schlimmer is a former CIA officer & Co-Founder of Cybersaint Inc., whose CyberStrong™ software manages cybersecurity as a business function, measures cybersecurity strength against the NIST Cybersecurity framework, and uses AI to recommend how to get the most cybersecurity improvement for the least investment.

You may also like

The Cybersecurity Skills Gap: The ...
on February 7, 2019

The cybersecurity skills gap is nothing new to the seasoned cyber professional. It has been widely discussed in cyber and information security circles for some time. The main flag ...

George Wrenn
The Post-Digitization CISO
on February 5, 2019

Information leaders in digital businesses, whether focusing on optimization or a full transformation, are inherently altering their position among the executive leadership. As ...

Integrated Risk Management and ...
on January 31, 2019

With technology permeating every aspect of a business, one begins to wonder what technology is reserved for digital risk management rather than the other facets of integrated risk ...

Department of Defense Launches ...
on January 29, 2019

The Defense Federal Acquisition Regulation Supplement (DFARS) mandate, specifically Clause 252.204-7012 requiring all members of the Department of Defense’s supply chain to comply ...

Digital Risk Management Frameworks
on January 24, 2019

As organizations continue to embrace digitization, security teams are faced with the challenge of keeping the enterprise secure while empowering growth and innovation. Many CISO’s ...

The Cybersecurity Impact Of The ...
on January 23, 2019

There has been a great deal of speculation around the cybersecurity posture of the nation in light of the most recent (and longest documented) government shutdown. I’ve seen two ...

George Wrenn