<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

Thought Leadership

How to Spend Your Cybersecurity Budget Increase

down-arrow

 

In “How to sell cybersecurity to your executive team,” I discussed strategies to sell cybersecurity to your board of directors, executives, and business leaders using a standards-based approach. Ultimately, this strategy would lead to you receiving a larger cybersecurity budget. Ample security budgets are rare, but by speaking the executive team’s language, using metrics and visuals, and getting outside verification, you’re bound to get the occasional healthy budget increase.

So, you’ve followed those steps, and have been rewarded with a larger security budget. Because no good deed goes unpunished, this forces a difficult question: what should you do with the money? Your budget won’t increase every year, so it’s important to make the most of the opportunity. It’s vital that you use a standards-based approach to allocate the funds to measure your return on investment and get optimal improvement.

Use framework to determine allocation

It’s important that you allocate new funds where they will bring your organization the most benefit. Use a framework like the NIST Cybersecurity Framework (CSF) or ISO 27001 to assess your strengths and weaknesses. Your new spending should improve an area of weakness. For example, if you have a high-quality intrusion detection solution, buying another detection solution won’t give you much more cyber strength for the money. Perhaps you’re weaker on your ability to recover from an emergency, and would be better served by a backup system that can get you operational (and profitable) quickly.

If you haven’t done such an assessment, consider third party consultants or a software solution like CyberStrong, which uses artificial intelligence to determine how you can get the most cyber improvement for the least investment, based on your specific situation.

 
ADVERTISING
 

I’ve discovered through our AI that many companies are spending plenty on technological solutions, but they are understaffed and not making the most of the technology. Perhaps your new funds would be better spent adding additional people who can develop things like better incident response plans, employee training programs, and disaster recovery plans. Be sure to balance technology and people. While quality firewalls and SIEMs are important, there is also a lot of low-hanging fruit that can strengthen your cyber resiliency for less cost.

Measure ROI

Russ Verbosky, CIO and CISO at the New Mexico Department of Game and Fish, says, “I keep reading that CISOs should report directly to the CEO. CISOs, therefore, should have their own budgets.”

The reality, however, is that most CISOs are not in total control of their budgets. For this reason, it’s important to demonstrate that you’re providing a strong return on the investment, which will help you continue to get budget increases in the future.

My preferred way to do this is to use quality metrics to measure your current cyber strength, and then demonstrate how much the spending will increase your cyber strength. At CyberSaint, we use the NIST CSF as our metric. For instance, perhaps right now we’ve completed 67% of the NIST CSF, therefore our cyber strength is 67. If we make investment level A, perhaps a medium investment, our cyber strength will increase to 75. If we have less to spend, we can eliminate these two specific items, perhaps security awareness training and insider threat program, and our cyber strength will only be a 71. But if we have additional funds to invest, we can add two specific items that will bump our cyber strength up to an 80, and we will be much more resilient.

This process turns cyber into a measurable business function. You and your board or executive team can decide: This is where we want to have our cyber program in less than one year. Instead of just picking solutions willy-nilly with unknown ROI, we’re now showing a clear return on investment to the board or executive team from this additional spending. And hopefully, seeing clear, measurable results will help you get larger budgets into the future, too.

Originally published in CSO Magazine.

You may also like

Booz Allen Hamilton and CyberSaint ...
on September 7, 2022

MCLEAN, Va. & BOSTON--(BUSINESS WIRE)--Booz Allen Hamilton (NYSE: BAH) and CyberSaint today announced a strategic partnership that aligns Booz Allen’s world-class ...

CyberSaint Continues to Support ...
on July 6, 2022

BOSTON--(BUSINESS WIRE)--CyberSaint, the developer of the leading platform delivering cyber risk automation, announced the addition of CMMC 2.0, allowing customers to adopt the ...

CyberSaint Makes FAIR Model ...
on June 28, 2022

BOSTON--(BUSINESS WIRE)--CyberSaint, the developer of the leading platform delivering cyber risk automation, announced the addition of the FAIR (Factor Analysis of Information ...

CyberSaint Releases CyberStrong ...
on June 21, 2022

BOSTON--(BUSINESS WIRE)--CyberSaint, the developer of the leading platform delivering cyber risk automation, announced the release of CyberStrong version 3.20 today, leading the ...

CRN® Lists CyberSaint in Its 2022 ...
on April 4, 2022

BOSTON--(BUSINESS WIRE)--CyberSaint, the developer of the leading platform delivering cyber risk automation, has been recognized by CRN®, a brand of The Channel Company, in its ...

Award-Winning Cybersecurity ...
on March 17, 2022

BOSTON--(BUSINESS WIRE)--CyberSaint, the developer of the leading platform delivering cyber risk automation, today announced that Nicole Dove, award-winning cybersecurity ...