7 Tips For Getting Your Security Budget Approved
How to have a productive conversation with business leaders and get your security budget approved.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt919c56fd6980fd41/64f0d94df169c5e288886b0b/budget-intro.jpg?width=700&auto=webp&quality=80&disable=upscale)
'Tis the season for building budgets, and security managers are under pressure to get the funds they need to protect their organizations. Of course this is easier said than done.
The road to budget approval is paved with difficult conversations between infosec professionals and business executives. If security leaders don't convey their needs in an understandable way, they risk disapproval from decision-makers and, as a result, less security spend.
Businesses' risk of cyberattack will only grow higher in 2017. As they create their security budgets, managers need to consider a few points that will help prepare them for productive conversations with executives.
Here, experts share their advice for security leaders creating and discussing their budgets for this year. Bear these in mind while navigating the budget approval process. Are there any tips you would add to this list? Let's keep the conversation going.
Businesses are more focused on point products than data protection strategies, explains David Gibson, VP of strategy and market development at Varonis. Many of these products are designed to mitigate specific threats and leave organizations open to vulnerabilities.
"We've seen a reactive approach to security has led to a lot of expense, but not a lot of success, in terms of improving the overall security posture of the organization," he says. These products can cost a lot of money while giving a false sense of security.
At a time when we need to protect data and treat it as an asset, businesses aren't asking questions like "What data do I really need to protect the most?" and "How can I spot threats to sensitive data?" Potential threats include insiders who have privileged access but can abuse their power, or employees who have their accounts compromised by external attackers.
Businesses are paying more attention to data security, Gibson says, but more can be done. "Boards are getting questions from auditors about their data security strategies," he explains. "The people you do business with are asking to approve whether the data you store about them is being protected."
Heidi Shey, senior analyst for security and risk at Forrester, echoes the importance of developing a data security strategy.
"Without that in place, it's hard to know here you really need to most help; where you should be putting time and effort," she says. "If you can articulate what the strategy is and why this is the approach you're taking, it's easier to highlight what needs to be done next and justify the investments you're looking to make."
"Staffing, historically, has taken up a pretty large chunk of the budget," explains Shey. "Even with technologies that can help do a lot more, we need people to manage them, to understand them, to act on what those technologies are telling us."
If you're hoping to hire more security employees, it's important to be specific about your team's needs during the budget approval process.
"If it's coming down to 'we need help, we need an extra person,' you may get pushback," says Shey. "You need to highlight what it is you need, that you're not currently getting from staff or service providers you already work with."
The security skills in highest demand vary from industry to industry, she continues. Operations skills topped the list last year and this year. Other sought-after skills cluster around programming, scripting knowledge, malware analysis, and mobile security.
It's worth noting that many businesses don't expect they'll get enough headcount for security staff this year, says Gibson. As a result, they're trying to figure out how to do more with fewer people by investing in security technologies that will deliver alerts that are understandable to lower-level security pros and business staff.
Security concerns and alerts must be relevant to business leaders, Gibson emphasizes. Some of the more esoteric security technologies have been hard for non-technical people to understand. As they build their budgets, security pros need to phrase technical jargon in a way that makes sense to people outside their department.
"It all goes back to putting [security] into language that's compelling and credible enough so executives making decisions can acknowledge there are threats and the risks are real," says Carolyn Crandall, CMO at Attivo.
For example, Gibson says, if you're explaining an alert from a network intrusion detection system, the pattern of network behavior is tough to translate into something tangible for a business employee. "This is potentially a specific threat" is vague and may not seem worrisome to someone outside security.
Contrast that with: "John just downloaded 5,000 patient records, and normally looks at 5 or 10." This illustrates the immediate threat in a way that ensures the business knows where the value is. The alternative, if your team doesn't have the expertise to translate these concerns, is to invest in technology that does. Look for systems that deliver meaningful information, which someone can read and digest even if they don't have an especially broad or deep security background.
Shey advises against using scare tactics during the budget approval process. This includes highlighting the potential tremendous cost of a data breach or major consequences if something bad happens.
Crandall agrees that scaring business leaders with security dangers usually doesn't work. Scare tactics get rejected because people believe those extreme situations will happen, or security pros don't articulate the threats in an understandable way. If their budgets are approved under a misunderstanding and nothing happens, the CISO loses credibility.
This doesn't mean business leaders should be unaware of the potential consequences of security breaches, says Crandall. They should know the risks they face. However, for every weakness the security team highlights, there should be a suggested improvement for reducing that risk.
It's important to focus on how security can help the company move in the right direction, not the dangers new technologies can prevent. If you can articulate the business strategy, it's easier to highlight what needs to be done and justify the investments you're hoping to make, says Shey. Basing your entire argument on major consequences will lead to a less productive conversation.
It's important to emphasize how security can enable business success. The manual processes organizations use for security can often get them in trouble, says Gibson. Setting manual permissions on directors, for example, or manually provisioning access can be time-consuming and generate operational overhead. What's more, they aren't very effective in terms of security.
Automation can cut operational overhead and drive security at the same time, he continues, both of which can help the business. Technology can show you where you have unused data, and security pros can argue they're storing data that doesn't have to be stored with such expensive means. What's more, they can make it accessible.
"If the data is stored in the right places you can gain access to it faster, which can increase productivity," he explains. End users often struggle to find the data they need, which can waste valuable time.
"If you can tie security efforts into improving productivity, and argue security can drive revenue and growth, you'll have a much better conversation."
It's important to emphasize how security can enable business success. The manual processes organizations use for security can often get them in trouble, says Gibson. Setting manual permissions on directors, for example, or manually provisioning access can be time-consuming and generate operational overhead. What's more, they aren't very effective in terms of security.
Automation can cut operational overhead and drive security at the same time, he continues, both of which can help the business. Technology can show you where you have unused data, and security pros can argue they're storing data that doesn't have to be stored with such expensive means. What's more, they can make it accessible.
"If the data is stored in the right places you can gain access to it faster, which can increase productivity," he explains. End users often struggle to find the data they need, which can waste valuable time.
"If you can tie security efforts into improving productivity, and argue security can drive revenue and growth, you'll have a much better conversation."
'Tis the season for building budgets, and security managers are under pressure to get the funds they need to protect their organizations. Of course this is easier said than done.
The road to budget approval is paved with difficult conversations between infosec professionals and business executives. If security leaders don't convey their needs in an understandable way, they risk disapproval from decision-makers and, as a result, less security spend.
Businesses' risk of cyberattack will only grow higher in 2017. As they create their security budgets, managers need to consider a few points that will help prepare them for productive conversations with executives.
Here, experts share their advice for security leaders creating and discussing their budgets for this year. Bear these in mind while navigating the budget approval process. Are there any tips you would add to this list? Let's keep the conversation going.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024