Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/26/2019
10:00 AM
George Wrenn
George Wrenn
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

5 Ways to Champion and Increase Your 2020 Security Budget

Give your organization's leadership an impactful, out-of-office experience so they know what's at stake with their budgeting decisions.

Late in the summer of 2015, I orchestrated an off-site workshop with one of our biggest customers. I had two objectives: One was to create an unforgettable experience that demonstrated to executives how risk translated into strategy — and action — for the cybersecurity staff. 

And by scheduling this in fourth quarter of our fiscal year, the second, less obvious agenda was to make sure these same decisionmakers knew precisely what was at stake when it came time to debate my proposed security budget for the coming fiscal year. 

At least for my department, what had been mostly an academic exercise could then be imbued with a deeper understanding for the board about the real-world impact of their spending decisions.

As a global CISO, I saw the end of the year as a balancing act between short-term returns to finish the year strong and strategic investments to set my organization up for a successful new year. 

For many CISOs, the greatest end-of-year investment that they can make is bridging the gap between business and technology stakeholders. This is why I organized an experiential tour of one of our high profile customers, one with whom the board and CEO would be excited to visit and spend time. The tour included a presentation from our outside consulting team that discussed the risks of cutting edge technology when implemented without proper security measures. 

The event paid dividends, both short- and long-term. Because the CEO and board had a richer context to work from, they increased our security budget for the following year. And because other business leaders in attendance learned more about security, the company in turn developed a more risk-aware culture. 

For CISOs and security leaders looking to make a similar investment to fight security fatigue, here's my five-step blueprint for showcasing the importance of next year's cybersecurity investment — and emerge victorious from next year's budget negotiations. 

1. Be the Engineer, Not the Executor
As the cybersecurity leader, you want to secure more budget for your organization and the board and CEO know this. Consequently, you cannot be seen as the face of this experiential event. My recommendation is to source a consulting firm or collaborate with a team you're already working with to present this experience to the board and CEO. 

2. Create a Powerful Agenda
You may not be the front-of-the-room leader for the experiential tour, but don't delegate the day's schedule and pacing. Here are some criteria I settled on to create the first phase of the experience: 

  • Make it exciting: Find a customer or partner whose business your CEO and board will recognize and be excited to interact with. 
  • Align with your business: Ensure there are sufficient touch points between your business and the one you visit. The business challenges, the industry sector – there must be something relatable. Ensure that the board and CEO don't have to work hard to tie their learning back to your organization. 
  • Get out of the office: Remember, this investment is an experience. Creating an event that breaks the pattern and makes it more memorable and engaging for your CEO and board.  

Work closely with the third-party consultants, but in the end, you are the engineer for this experience and it's up to you to show executive leadership the risks the organization faces. The consultants in the room can help bridge the gap and make the presentation more relatable to business-side stakeholders. 

3. Show, Don't Tell 
The next part is the "shock and awe" that takes place back in the boardroom: Show, don't tell, your board and CEO what happens when that business's technology is used for nefarious purposes. If you tour a crane company, show them how white-hat hackers broke into IoT-enabled cranes. If you tour a connected home manufacturer, demonstrate how a hacker covertly accessed a Nest camera and talked to the woman in the house for hours. This allows your board and CEO to see the direct impact of cyber threats, and the direct impact to your organization and its customers and partners if these threats and risks aren't remediated. 

It's your best opportunity to show your board and CEO that business progress and innovation can be almost completely undone without strong cybersecurity and cyber risk management. 

4. The Direct Ask
Following the two-phase, hands-on experience, this is where you as the security leader take a presenting role. Illustrate to your board and CEO what you and your security organization are doing and capitalize on the realizations that have been made during the workshop thus far. Then be direct and clear: Tell them what you need to ensure that your organization and its customers don't suffer a similar fate. 

5. Where to Increase Spending
There are two prongs to increasing spending for your cybersecurity program in the wake of this experience: Incident response (and activities that fall under the Respond categories in the NIST CSF: response planning, communications, analysis, mitigation, and improvements), and increasing visibility and reporting at the executive level. 

Remember your priorities for this investment: Making your CEO and board care about cybersecurity and elevating cyber to a board and executive-level issue. I strongly discourage spending on another endpoint tool, and instead, trace the narrative of your entire presentation through to the outcomes that you're looking to achieve: A more resilient, cyber-aware enterprise. 

Specifically, investing in red-blue-team incident response drills whether tabletop or full mock exercises, will show your board and CEO that you're prepared for a real incident. Follow that with an investment in a solution that increases visibility into your cyber program. This is where you must implement integrated solutions that allow you to automate reporting and visualize your cyber program in a business context for the company's directors and executives. 

As we enter the last quarter of the year, it's critical to use up all your annual budget, and also use your budget effectively. Investing in an experience like this can shift how your executive management sees cybersecurity and break through general security fatigue. Executed properly, the short- and long-term wins will improve your risk posture and help business leaders make more informed decisions about security spending.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Home Safe: 20 Cybersecurity Tips for Your Remote Workers."

George Wrenn is the founder and CEO of CyberSaint Security, an integrated risk management company that streamlines and automates risk, compliance, and privacy programs. Prior to founding CyberSaint, George was the VP of cybersecurity (CSO) for Schneider Electric, a Global ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-1074
PUBLISHED: 2021-04-21
NVIDIA Windows GPU Display Driver for Windows, R390 driver branch, contains a vulnerability in its installer where an attacker with local system access may replace an application resource with malicious files. Such an attack may lead to code execution, escalation of privileges, denial of service, or...
CVE-2021-1075
PUBLISHED: 2021-04-21
NVIDIA Windows GPU Display Driver for Windows, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape where the program dereferences a pointer that contains a location for memory that is no longer valid, which may lead to code execution, denial of se...
CVE-2021-1076
PUBLISHED: 2021-04-21
NVIDIA GPU Display Driver for Windows and Linux, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys or nvidia.ko) where improper access control may lead to denial of service, information disclosure, or data corruption.
CVE-2021-1077
PUBLISHED: 2021-04-21
NVIDIA GPU Display Driver for Windows and Linux, R450 and R460 driver branch, contains a vulnerability where the software uses a reference count to manage a resource that is incorrectly updated, which may lead to denial of service.
CVE-2021-1078
PUBLISHED: 2021-04-21
NVIDIA Windows GPU Display Driver for Windows, all versions, contains a vulnerability in the kernel driver (nvlddmkm.sys) where a NULL pointer dereference may lead to system crash.