Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Connect Directly
E-Mail vvv

How to Boost Executive Buy-In for Security Investments

Linking security budgets to breach-protection outcomes helps executives balance spending against risk and earns CISOs greater respect in the C-suite.

It's no secret that there is a tenuous relationship between most chief information security officers (CISOs) and their executive suite and board. The CISO is caught between a rock (cause) and a hard place (effect).

CISO-led enterprise security programs are intended to protect against security breaches. Executives have a duty to protect a business from unacceptable impacts, but they are rarely (if ever) presented with quantifiable and data-driven security strategies and action plans that link control of specific security breach outcomes — and associated impacts — with specific budgets. 

Related Content:

10 Benefits of Running Cybersecurity Exercises

How Data Breaches Affect the Enterprise

2021 Security Budgets: 6 Top CISO Priorities, Realities

This exposes executives to external challengers — including investors, insurers, opposing legal counsel, regulators, and customers — regarding enterprise cyber-risk exposure. But these are not the only challengers. Internally, CISOs compete for limited funds against the rest of the business in an opportunity-cost war, and they are in battle with functions that deliver a much more obvious return on investment. 

Setting Cyber-Risk Expectations
To better handle these challenges, a security plan should set an expectation of the level of cyber-risk outcomes per given budget. This would not only set expectations for a given spend, but should a business cut or increase budget, the CISO can demonstrate the resulting change in cyber-risk exposure. 

The purpose of a security program is to have a degree of confidence in protection against security breaches. It is less that the executives believe that the business should be protected from breaches by advanced threats (like nation states); rather, they do not have credible information to know if less sophisticated threats, which are vastly more numerous, can breach and cause unacceptable impact. A security program should be able to assure a level of cyber-risk exposure.

Justifying the Economics of Risk Reduction
In general, operational leaders (like the heads of marketing, sales, IT, etc.) are expected to justify the opportunity to develop an enterprise-wide capability. They are good if they can demonstrate return, but they are great if they show a strong return. These are basic business economics that no business leadership can, or should, escape.

CISOs have effectively self-isolated themselves from the business in terms of strategic principles that do not align well with executive doctrine. Historically, security strategies have been primarily driven via vulnerability chasers, threat detectors, framework followers, and, more recently, risk calculators. These have been largely myopic or far too abstract to connect to executives. 

Taking a Security-Economic Approach
Can CISOs move into the (for lack of a better term) security-economic era? Everything in business is on a slider. A cost vs. reward slider. Executive satisfaction typically increases if you demonstrate a better return for an investment. Positive outcomes are often determined by how well expectations are set from the start. How can CISOs get executives to be satisfied with their work if they don't set an expectation of a result? Most CISOs are still overly fixated on what they do (or want to do), rather than what breach impact result they can control with an amount of budget. 

If CISOs want to better set expectations with executives, they need to take a security-economic approach that answers these questions:

  1. What are we focusing protection on — and is this justified?
  2. What levels and types of protection can we provide and at what costs?
  3. Do we have realistic plans to develop levels of protection?
  4. Can we manage and track our development and operations to ensure cost-efficiency?
  5. Can our results be independently verified?

By framing security this way, risk appetite becomes clear in the most meaningful way, based on the willingness to balance spend against potential risk outcomes. In this framework, risk is upfront, as are the options relative to spending and security posture. Ambiguity around security spending is gone, and the ultimate decision about business priorities and risk appetite is where it should be, with the executive suite.

When buying many things in life, you are faced with size and quality options. A security program is no different. The size is how many assets are under control (protection), and the quality is the level of that protection (what level of threat sophistication can cause unacceptable impact vs. what level is acceptable). 

By providing executives plans with sliders that vary the size and quality, you provide them choices. These choices demonstrate how much budget is to be allocated to receive various levels of protection — or conversely, of cyber-risk exposure. The options they do not fund, the CISO is not liable for.

A CISO that plans and delivers like this is in line with other business leaders and can be viewed as a leader at that level. If CISOs believe they don't get enough respect or they aren't heard, it may be because they are not presenting risk/reward-based analysis in line with their C-suite peers. 

It is time that CISOs reposition themselves from between a rock and a hard place to become the modern security-economic CISO. This will give them a seat at the executive and board table — not because they can see board-level problems, but because they can cost effectively solve board-level problems.

Douglas Ferguson, a security professional of over 20 years, is the founder and CTO of Pharos Security. Pharos specializes in aligning security goals and strategy to the business and a calibrated risk appetite, ensuring an integrated business plan and optimized ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-19
Apache Guacamole 1.2.0 and earlier do not consistently restrict access to connection history based on user visibility. If multiple users share access to the same connection, those users may be able to see which other users have accessed that connection, as well as the IP addresses from which that co...
PUBLISHED: 2021-01-19
In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, a client-side control vulnerability in the insulin pump and its AnyDana-i and AnyDana-A mobile applications allows physically proximate attackers to bypass user authentication checks via Bluetooth Low Energy.
PUBLISHED: 2021-01-19
In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, a client-side control vulnerability in the insulin pump and its AnyDana-i and AnyDana-A mobile applications allows physically proximate attackers to bypass checks for default PINs via Bluetooth Low Energy.
PUBLISHED: 2021-01-19
In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, the communication protocol of the insulin pump and its AnyDana-i and AnyDana-A mobile applications lacks replay protection measures, which allows unauthenticated, physically proximate attackers to replay communication sequences vi...
PUBLISHED: 2021-01-19
The Stockdio Historical Chart plugin before 2.8.1 for WordPress is affected by Cross Site Scripting (XSS) via stockdio_chart_historical-wp.js in wp-content/plugins/stockdio-historical-chart/assets/ because the origin of a postMessage() event is not validated. The stockdio_eventer function listens fo...