Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Connect Directly
E-Mail vvv

How to Boost Executive Buy-In for Security Investments

Linking security budgets to breach-protection outcomes helps executives balance spending against risk and earns CISOs greater respect in the C-suite.

It's no secret that there is a tenuous relationship between most chief information security officers (CISOs) and their executive suite and board. The CISO is caught between a rock (cause) and a hard place (effect).

CISO-led enterprise security programs are intended to protect against security breaches. Executives have a duty to protect a business from unacceptable impacts, but they are rarely (if ever) presented with quantifiable and data-driven security strategies and action plans that link control of specific security breach outcomes — and associated impacts — with specific budgets. 

Related Content:

10 Benefits of Running Cybersecurity Exercises

How Data Breaches Affect the Enterprise

2021 Security Budgets: 6 Top CISO Priorities, Realities

This exposes executives to external challengers — including investors, insurers, opposing legal counsel, regulators, and customers — regarding enterprise cyber-risk exposure. But these are not the only challengers. Internally, CISOs compete for limited funds against the rest of the business in an opportunity-cost war, and they are in battle with functions that deliver a much more obvious return on investment. 

Setting Cyber-Risk Expectations
To better handle these challenges, a security plan should set an expectation of the level of cyber-risk outcomes per given budget. This would not only set expectations for a given spend, but should a business cut or increase budget, the CISO can demonstrate the resulting change in cyber-risk exposure. 

The purpose of a security program is to have a degree of confidence in protection against security breaches. It is less that the executives believe that the business should be protected from breaches by advanced threats (like nation states); rather, they do not have credible information to know if less sophisticated threats, which are vastly more numerous, can breach and cause unacceptable impact. A security program should be able to assure a level of cyber-risk exposure.

Justifying the Economics of Risk Reduction
In general, operational leaders (like the heads of marketing, sales, IT, etc.) are expected to justify the opportunity to develop an enterprise-wide capability. They are good if they can demonstrate return, but they are great if they show a strong return. These are basic business economics that no business leadership can, or should, escape.

CISOs have effectively self-isolated themselves from the business in terms of strategic principles that do not align well with executive doctrine. Historically, security strategies have been primarily driven via vulnerability chasers, threat detectors, framework followers, and, more recently, risk calculators. These have been largely myopic or far too abstract to connect to executives. 

Taking a Security-Economic Approach
Can CISOs move into the (for lack of a better term) security-economic era? Everything in business is on a slider. A cost vs. reward slider. Executive satisfaction typically increases if you demonstrate a better return for an investment. Positive outcomes are often determined by how well expectations are set from the start. How can CISOs get executives to be satisfied with their work if they don't set an expectation of a result? Most CISOs are still overly fixated on what they do (or want to do), rather than what breach impact result they can control with an amount of budget. 

If CISOs want to better set expectations with executives, they need to take a security-economic approach that answers these questions:

  1. What are we focusing protection on — and is this justified?
  2. What levels and types of protection can we provide and at what costs?
  3. Do we have realistic plans to develop levels of protection?
  4. Can we manage and track our development and operations to ensure cost-efficiency?
  5. Can our results be independently verified?

By framing security this way, risk appetite becomes clear in the most meaningful way, based on the willingness to balance spend against potential risk outcomes. In this framework, risk is upfront, as are the options relative to spending and security posture. Ambiguity around security spending is gone, and the ultimate decision about business priorities and risk appetite is where it should be, with the executive suite.

When buying many things in life, you are faced with size and quality options. A security program is no different. The size is how many assets are under control (protection), and the quality is the level of that protection (what level of threat sophistication can cause unacceptable impact vs. what level is acceptable). 

By providing executives plans with sliders that vary the size and quality, you provide them choices. These choices demonstrate how much budget is to be allocated to receive various levels of protection — or conversely, of cyber-risk exposure. The options they do not fund, the CISO is not liable for.

A CISO that plans and delivers like this is in line with other business leaders and can be viewed as a leader at that level. If CISOs believe they don't get enough respect or they aren't heard, it may be because they are not presenting risk/reward-based analysis in line with their C-suite peers. 

It is time that CISOs reposition themselves from between a rock and a hard place to become the modern security-economic CISO. This will give them a seat at the executive and board table — not because they can see board-level problems, but because they can cost effectively solve board-level problems.

Douglas Ferguson, a security professional of over 20 years, is the founder and CTO of Pharos Security. Pharos specializes in aligning security goals and strategy to the business and a calibrated risk appetite, ensuring an integrated business plan and optimized ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...
PUBLISHED: 2021-06-14
Improper Input Validation vulnerability in Hitachi ABB Power Grids Relion 670 Series, Relion 670/650 Series, Relion 670/650/SAM600-IO, Relion 650, REB500, RTU500 Series, FOX615 (TEGO1), MSM, GMS600, PWC600 allows an attacker with access to the IEC 61850 network with knowledge of how to reproduce the...