Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/26/2019
10:00 AM
George Wrenn
George Wrenn
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

5 Ways to Champion and Increase Your 2020 Security Budget

Give your organization's leadership an impactful, out-of-office experience so they know what's at stake with their budgeting decisions.

Late in the summer of 2015, I orchestrated an off-site workshop with one of our biggest customers. I had two objectives: One was to create an unforgettable experience that demonstrated to executives how risk translated into strategy — and action — for the cybersecurity staff. 

And by scheduling this in fourth quarter of our fiscal year, the second, less obvious agenda was to make sure these same decisionmakers knew precisely what was at stake when it came time to debate my proposed security budget for the coming fiscal year. 

At least for my department, what had been mostly an academic exercise could then be imbued with a deeper understanding for the board about the real-world impact of their spending decisions.

As a global CISO, I saw the end of the year as a balancing act between short-term returns to finish the year strong and strategic investments to set my organization up for a successful new year. 

For many CISOs, the greatest end-of-year investment that they can make is bridging the gap between business and technology stakeholders. This is why I organized an experiential tour of one of our high profile customers, one with whom the board and CEO would be excited to visit and spend time. The tour included a presentation from our outside consulting team that discussed the risks of cutting edge technology when implemented without proper security measures. 

The event paid dividends, both short- and long-term. Because the CEO and board had a richer context to work from, they increased our security budget for the following year. And because other business leaders in attendance learned more about security, the company in turn developed a more risk-aware culture. 

For CISOs and security leaders looking to make a similar investment to fight security fatigue, here's my five-step blueprint for showcasing the importance of next year's cybersecurity investment — and emerge victorious from next year's budget negotiations. 

1. Be the Engineer, Not the Executor
As the cybersecurity leader, you want to secure more budget for your organization and the board and CEO know this. Consequently, you cannot be seen as the face of this experiential event. My recommendation is to source a consulting firm or collaborate with a team you're already working with to present this experience to the board and CEO. 

2. Create a Powerful Agenda
You may not be the front-of-the-room leader for the experiential tour, but don't delegate the day's schedule and pacing. Here are some criteria I settled on to create the first phase of the experience: 

  • Make it exciting: Find a customer or partner whose business your CEO and board will recognize and be excited to interact with. 
  • Align with your business: Ensure there are sufficient touch points between your business and the one you visit. The business challenges, the industry sector – there must be something relatable. Ensure that the board and CEO don't have to work hard to tie their learning back to your organization. 
  • Get out of the office: Remember, this investment is an experience. Creating an event that breaks the pattern and makes it more memorable and engaging for your CEO and board.  

Work closely with the third-party consultants, but in the end, you are the engineer for this experience and it's up to you to show executive leadership the risks the organization faces. The consultants in the room can help bridge the gap and make the presentation more relatable to business-side stakeholders. 

3. Show, Don't Tell 
The next part is the "shock and awe" that takes place back in the boardroom: Show, don't tell, your board and CEO what happens when that business's technology is used for nefarious purposes. If you tour a crane company, show them how white-hat hackers broke into IoT-enabled cranes. If you tour a connected home manufacturer, demonstrate how a hacker covertly accessed a Nest camera and talked to the woman in the house for hours. This allows your board and CEO to see the direct impact of cyber threats, and the direct impact to your organization and its customers and partners if these threats and risks aren't remediated. 

It's your best opportunity to show your board and CEO that business progress and innovation can be almost completely undone without strong cybersecurity and cyber risk management. 

4. The Direct Ask
Following the two-phase, hands-on experience, this is where you as the security leader take a presenting role. Illustrate to your board and CEO what you and your security organization are doing and capitalize on the realizations that have been made during the workshop thus far. Then be direct and clear: Tell them what you need to ensure that your organization and its customers don't suffer a similar fate. 

5. Where to Increase Spending
There are two prongs to increasing spending for your cybersecurity program in the wake of this experience: Incident response (and activities that fall under the Respond categories in the NIST CSF: response planning, communications, analysis, mitigation, and improvements), and increasing visibility and reporting at the executive level. 

Remember your priorities for this investment: Making your CEO and board care about cybersecurity and elevating cyber to a board and executive-level issue. I strongly discourage spending on another endpoint tool, and instead, trace the narrative of your entire presentation through to the outcomes that you're looking to achieve: A more resilient, cyber-aware enterprise. 

Specifically, investing in red-blue-team incident response drills whether tabletop or full mock exercises, will show your board and CEO that you're prepared for a real incident. Follow that with an investment in a solution that increases visibility into your cyber program. This is where you must implement integrated solutions that allow you to automate reporting and visualize your cyber program in a business context for the company's directors and executives. 

As we enter the last quarter of the year, it's critical to use up all your annual budget, and also use your budget effectively. Investing in an experience like this can shift how your executive management sees cybersecurity and break through general security fatigue. Executed properly, the short- and long-term wins will improve your risk posture and help business leaders make more informed decisions about security spending.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Home Safe: 20 Cybersecurity Tips for Your Remote Workers."

George Wrenn is the founder and CEO of CyberSaint Security, an integrated risk management company that streamlines and automates risk, compliance, and privacy programs. Prior to founding CyberSaint, George was the VP of cybersecurity (CSO) for Schneider Electric, a Global ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19642
PUBLISHED: 2019-12-08
On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareNa...
CVE-2019-19637
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19638
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.
CVE-2019-19635
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19636
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_encode_body at tosixel.c.