Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/26/2019
10:00 AM
George Wrenn
George Wrenn
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

5 Ways to Champion and Increase Your 2020 Security Budget

Give your organization's leadership an impactful, out-of-office experience so they know what's at stake with their budgeting decisions.

Late in the summer of 2015, I orchestrated an off-site workshop with one of our biggest customers. I had two objectives: One was to create an unforgettable experience that demonstrated to executives how risk translated into strategy — and action — for the cybersecurity staff. 

And by scheduling this in fourth quarter of our fiscal year, the second, less obvious agenda was to make sure these same decisionmakers knew precisely what was at stake when it came time to debate my proposed security budget for the coming fiscal year. 

At least for my department, what had been mostly an academic exercise could then be imbued with a deeper understanding for the board about the real-world impact of their spending decisions.

As a global CISO, I saw the end of the year as a balancing act between short-term returns to finish the year strong and strategic investments to set my organization up for a successful new year. 

For many CISOs, the greatest end-of-year investment that they can make is bridging the gap between business and technology stakeholders. This is why I organized an experiential tour of one of our high profile customers, one with whom the board and CEO would be excited to visit and spend time. The tour included a presentation from our outside consulting team that discussed the risks of cutting edge technology when implemented without proper security measures. 

The event paid dividends, both short- and long-term. Because the CEO and board had a richer context to work from, they increased our security budget for the following year. And because other business leaders in attendance learned more about security, the company in turn developed a more risk-aware culture. 

For CISOs and security leaders looking to make a similar investment to fight security fatigue, here's my five-step blueprint for showcasing the importance of next year's cybersecurity investment — and emerge victorious from next year's budget negotiations. 

1. Be the Engineer, Not the Executor
As the cybersecurity leader, you want to secure more budget for your organization and the board and CEO know this. Consequently, you cannot be seen as the face of this experiential event. My recommendation is to source a consulting firm or collaborate with a team you're already working with to present this experience to the board and CEO. 

2. Create a Powerful Agenda
You may not be the front-of-the-room leader for the experiential tour, but don't delegate the day's schedule and pacing. Here are some criteria I settled on to create the first phase of the experience: 

  • Make it exciting: Find a customer or partner whose business your CEO and board will recognize and be excited to interact with. 
  • Align with your business: Ensure there are sufficient touch points between your business and the one you visit. The business challenges, the industry sector – there must be something relatable. Ensure that the board and CEO don't have to work hard to tie their learning back to your organization. 
  • Get out of the office: Remember, this investment is an experience. Creating an event that breaks the pattern and makes it more memorable and engaging for your CEO and board.  

Work closely with the third-party consultants, but in the end, you are the engineer for this experience and it's up to you to show executive leadership the risks the organization faces. The consultants in the room can help bridge the gap and make the presentation more relatable to business-side stakeholders. 

3. Show, Don't Tell 
The next part is the "shock and awe" that takes place back in the boardroom: Show, don't tell, your board and CEO what happens when that business's technology is used for nefarious purposes. If you tour a crane company, show them how white-hat hackers broke into IoT-enabled cranes. If you tour a connected home manufacturer, demonstrate how a hacker covertly accessed a Nest camera and talked to the woman in the house for hours. This allows your board and CEO to see the direct impact of cyber threats, and the direct impact to your organization and its customers and partners if these threats and risks aren't remediated. 

It's your best opportunity to show your board and CEO that business progress and innovation can be almost completely undone without strong cybersecurity and cyber risk management. 

4. The Direct Ask
Following the two-phase, hands-on experience, this is where you as the security leader take a presenting role. Illustrate to your board and CEO what you and your security organization are doing and capitalize on the realizations that have been made during the workshop thus far. Then be direct and clear: Tell them what you need to ensure that your organization and its customers don't suffer a similar fate. 

5. Where to Increase Spending
There are two prongs to increasing spending for your cybersecurity program in the wake of this experience: Incident response (and activities that fall under the Respond categories in the NIST CSF: response planning, communications, analysis, mitigation, and improvements), and increasing visibility and reporting at the executive level. 

Remember your priorities for this investment: Making your CEO and board care about cybersecurity and elevating cyber to a board and executive-level issue. I strongly discourage spending on another endpoint tool, and instead, trace the narrative of your entire presentation through to the outcomes that you're looking to achieve: A more resilient, cyber-aware enterprise. 

Specifically, investing in red-blue-team incident response drills whether tabletop or full mock exercises, will show your board and CEO that you're prepared for a real incident. Follow that with an investment in a solution that increases visibility into your cyber program. This is where you must implement integrated solutions that allow you to automate reporting and visualize your cyber program in a business context for the company's directors and executives. 

As we enter the last quarter of the year, it's critical to use up all your annual budget, and also use your budget effectively. Investing in an experience like this can shift how your executive management sees cybersecurity and break through general security fatigue. Executed properly, the short- and long-term wins will improve your risk posture and help business leaders make more informed decisions about security spending.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Home Safe: 20 Cybersecurity Tips for Your Remote Workers."

George Wrenn is the founder and CEO of CyberSaint Security, an integrated risk management company that streamlines and automates risk, compliance, and privacy programs. Prior to founding CyberSaint, George was the VP of cybersecurity (CSO) for Schneider Electric, a Global ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19729
PUBLISHED: 2019-12-11
An issue was discovered in the BSON ObjectID (aka bson-objectid) package 1.3.0 for Node.js. ObjectID() allows an attacker to generate a malformed objectid by inserting an additional property to the user-input, because bson-objectid will return early if it detects _bsontype==ObjectID in the user-inpu...
CVE-2019-19373
PUBLISHED: 2019-12-11
An issue was discovered in Squiz Matrix CMS 5.5.0 prior to 5.5.0.3, 5.5.1 prior to 5.5.1.8, 5.5.2 prior to 5.5.2.4, and 5.5.3 prior to 5.5.3.3 where a user can trigger arbitrary unserialization of a PHP object from a packages/cms/page_templates/page_remote_content/page_remote_content.inc POST parame...
CVE-2019-19374
PUBLISHED: 2019-12-11
An issue was discovered in core/assets/form/form_question_types/form_question_type_file_upload/form_question_type_file_upload.inc in Squiz Matrix CMS 5.5.0 prior to 5.5.0.3, 5.5.1 prior to 5.5.1.8, 5.5.2 prior to 5.5.2.4, and 5.5.3 prior to 5.5.3.3 where a user can delete arbitrary files from the se...
CVE-2014-7257
PUBLISHED: 2019-12-11
SQL injection vulnerability in DBD::PgPP 0.05 and earlier
CVE-2013-4303
PUBLISHED: 2019-12-11
includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "." (period) characters in a string, which allows remote attackers to conduct cross-s...