Your Top Five Cyber Risks in Five Clicks with the Free Cyber Risk Analysis

FREE RISK ANALYSIS
Request Demo

How to Gain Executive Buy-in for Cyber Risk Initiatives

down-arrow

Article originally published on CSO Online, written by CyberSaint Co-Founder Scott Schlimmer

Despite repeated major, high-profile breaches, most cybersecurity teams still struggle to get sufficient funding. “After this hack, cybersecurity budgets are bound to increase.” We’ve all thought it. But, curiously, it may not always happen. It’s a constant battle between profitable business investments and “unprofitable” security investments to protect the current bottom-line. 

Despite the headlines, growth-oriented executives tend to prioritize other expenses.
According to Russ Verbofsky, CIO and CISO at the New Mexico Department of Game and Fish, “You can pay me today or tomorrow. But tomorrow includes a press release describing that we weren’t proactive in protecting our data and systems." In other words, companies can sufficiently fund their cybersecurity budgets today, or pay after a breach and the accompanying damages and bad publicity.

Based on current cyber budgets, many are “choosing” to pay later.

A former CISO of a large, Fortune 500 company, who asked to remain anonymous, outlined this phenomenon in detail. “It’s absolutely crazy. Every time there would be a major breach, I’d write up lessons learned, and it would just fall on deaf ears. I couldn’t make the message stick.”

The CISO notes that his budget was “extraordinarily tight.” He added, “It’s not just the budget, companies that don’t want to spend money can add huge additional steps to make purchasing onerous, and legal requirements.” The CISO also noted that not all companies run this way, and that his previous CISO role was at a company that properly funded “nearly all justifiable cybersecurity expenses.” The problem is not necessarily lack of funds. Another CISO from a medium to large US state commented, “From what I have seen the issue is not necessarily that the money is not there, typically the issue is that security almost always competes with other operational priorities.”

The challenge, then, is to convince your board and executives that cybersecurity is as important as the latest operational priorities and is necessary to protect current revenues. So what can a security professional do to get around this odd phenomenon and ensure the funding necessary to protect his or her company from becoming the next Equifax?

1. Speak their language

When I worked for CIA and advised the White House on terrorist threats, I learned I had to change my presentation style when writing for the President of the United States (POTUS). The same goes for pitching security to a board and executives.

As an expert, I had a lot to tell POTUS. But POTUS doesn’t care about most of what I know. He wants the bottom line key points. And he wants to know what he can do about it, and what the likely outcomes are with each of his options.

Cybersecurity experts have a habit of losing their audience and confusing them, often speaking too technically and with too many acronyms. If your board or executives doesn’t understand, they’re going to be more hesitant.

It takes a lot of practice to overcome this. Boards and execs care about business. And they care first about mission-critical operations and bottom-line profits. Cyber risks can threaten those two goals, which are the heart of any organization. Cybersecurity needs to be treated as a business function. It needs to be presented to boards and executives like any other business function in the organization.

2. Use metrics and visuals

If I’m running a company or on a board, the first question I’m going to ask of any proposal for funds is, “What do I get for that money?” Can you honestly answer that questions? Imagine the security team is asking you for money. What do you get for that money? Often we use metrics like “incidents detected” or “attacks stopped.” Except for the most tech-interested, executives just don’t care. This means nothing to less-technical boards and execs. Focus on business-oriented metrics. How much monetary loss have your controls prevented? How many dollars are likely to be saved through the investment you’re asking for? The toughest one, and the most important one for making cyber a business function, is how much more resilient will your systems be after this investment? With cyber resiliency, there is clear progress.

An investment that increases your resiliency by 30% will be much easier to fund than a confusing technical detection platform with unknown results. Although it’s difficult to do, I’m a big proponent of measuring cyber resiliency against a reputable framework like the NIST Cybersecurity Framework. Also, you need to speak in charts. Executives need simple visuals to show these things. Picture the cliché charts of profits going up. If you can’t do this in-house, then it’s vital that you outsource this. It will pay off later, with increased buy in and budget.

3. Get Outside verification

Sadly, internal security evangelists can be viewed with skepticism. This happened even when I had the reputable weight of the CIA behind my recommendations. Dentists say you have to floss every day and mechanics say you need an oil change every 3,000 miles, but we all know these are the standards of perfection and that you’ll be ok if you skip a day flossing or wait until 4,000 miles this time. What makes cyber any different?

Another Fortune 500 CISO put it best. “Frequently, management doesn’t believe the experts they hire. After failing an audit, then they start to believe.” For better or worse, an outside opinion carries more weight. Consider outside consultants or a platform like CyberStrong to analyze your systems before an audit comes up and makes you look bad. It’s ironic, but spending money to help your board understand the problem can get you even more money in your budgets.

Scott Schlimmer is a former CIA officer & Co-Founder of Cybersaint Inc., whose CyberStrong™ software manages cybersecurity as a business function, measures cybersecurity strength against the NIST Cybersecurity framework, and uses AI to recommend how to get the most cybersecurity improvement for the least investment.

You may also like

Putting the “R” back in GRC - ...
on November 20, 2024

Cyber GRC (Governance, Risk, and Compliance) tools are software solutions that help organizations manage and streamline their cybersecurity, risk management, and compliance ...

October Product Update
on October 17, 2024

The team at CyberSaint is thrilled to announce the latest additions and updates to the CyberStrong solution. To start off, we’ve made it easier to create an assessment and risk ...

Transforming Cyber Risk ...
on October 12, 2024

In today’s complex cyber landscape, managing risks effectively isn’t just about identifying threats—it’s about understanding their impact and knowing how to prioritize ...

Step-by-Step Guide: How to Create ...
on November 20, 2024

Cyber risk management has become more critical in today's challenging digital landscape. Organizations face increased pressure to identify, assess, and mitigate risks that could ...

From Fragmentation to Integration: ...
on November 20, 2024

Organizations are often inundated with many security threats and vulnerabilities in today's fast-paced cybersecurity landscape. As a result, many have turned to point ...

How to Create a Comprehensive ...
on November 20, 2024

Cyber threats are becoming more frequent, sophisticated, and damaging in today's rapidly evolving digital landscape. Traditional approaches to cyber risk management, which often ...