Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Connect Directly
E-Mail vvv

How to Boost Executive Buy-In for Security Investments

Linking security budgets to breach-protection outcomes helps executives balance spending against risk and earns CISOs greater respect in the C-suite.

It's no secret that there is a tenuous relationship between most chief information security officers (CISOs) and their executive suite and board. The CISO is caught between a rock (cause) and a hard place (effect).

CISO-led enterprise security programs are intended to protect against security breaches. Executives have a duty to protect a business from unacceptable impacts, but they are rarely (if ever) presented with quantifiable and data-driven security strategies and action plans that link control of specific security breach outcomes — and associated impacts — with specific budgets. 

Related Content:

10 Benefits of Running Cybersecurity Exercises

How Data Breaches Affect the Enterprise

2021 Security Budgets: 6 Top CISO Priorities, Realities

This exposes executives to external challengers — including investors, insurers, opposing legal counsel, regulators, and customers — regarding enterprise cyber-risk exposure. But these are not the only challengers. Internally, CISOs compete for limited funds against the rest of the business in an opportunity-cost war, and they are in battle with functions that deliver a much more obvious return on investment. 

Setting Cyber-Risk Expectations
To better handle these challenges, a security plan should set an expectation of the level of cyber-risk outcomes per given budget. This would not only set expectations for a given spend, but should a business cut or increase budget, the CISO can demonstrate the resulting change in cyber-risk exposure. 

The purpose of a security program is to have a degree of confidence in protection against security breaches. It is less that the executives believe that the business should be protected from breaches by advanced threats (like nation states); rather, they do not have credible information to know if less sophisticated threats, which are vastly more numerous, can breach and cause unacceptable impact. A security program should be able to assure a level of cyber-risk exposure.

Justifying the Economics of Risk Reduction
In general, operational leaders (like the heads of marketing, sales, IT, etc.) are expected to justify the opportunity to develop an enterprise-wide capability. They are good if they can demonstrate return, but they are great if they show a strong return. These are basic business economics that no business leadership can, or should, escape.

CISOs have effectively self-isolated themselves from the business in terms of strategic principles that do not align well with executive doctrine. Historically, security strategies have been primarily driven via vulnerability chasers, threat detectors, framework followers, and, more recently, risk calculators. These have been largely myopic or far too abstract to connect to executives. 

Taking a Security-Economic Approach
Can CISOs move into the (for lack of a better term) security-economic era? Everything in business is on a slider. A cost vs. reward slider. Executive satisfaction typically increases if you demonstrate a better return for an investment. Positive outcomes are often determined by how well expectations are set from the start. How can CISOs get executives to be satisfied with their work if they don't set an expectation of a result? Most CISOs are still overly fixated on what they do (or want to do), rather than what breach impact result they can control with an amount of budget. 

If CISOs want to better set expectations with executives, they need to take a security-economic approach that answers these questions:

  1. What are we focusing protection on — and is this justified?
  2. What levels and types of protection can we provide and at what costs?
  3. Do we have realistic plans to develop levels of protection?
  4. Can we manage and track our development and operations to ensure cost-efficiency?
  5. Can our results be independently verified?

By framing security this way, risk appetite becomes clear in the most meaningful way, based on the willingness to balance spend against potential risk outcomes. In this framework, risk is upfront, as are the options relative to spending and security posture. Ambiguity around security spending is gone, and the ultimate decision about business priorities and risk appetite is where it should be, with the executive suite.

When buying many things in life, you are faced with size and quality options. A security program is no different. The size is how many assets are under control (protection), and the quality is the level of that protection (what level of threat sophistication can cause unacceptable impact vs. what level is acceptable). 

By providing executives plans with sliders that vary the size and quality, you provide them choices. These choices demonstrate how much budget is to be allocated to receive various levels of protection — or conversely, of cyber-risk exposure. The options they do not fund, the CISO is not liable for.

A CISO that plans and delivers like this is in line with other business leaders and can be viewed as a leader at that level. If CISOs believe they don't get enough respect or they aren't heard, it may be because they are not presenting risk/reward-based analysis in line with their C-suite peers. 

It is time that CISOs reposition themselves from between a rock and a hard place to become the modern security-economic CISO. This will give them a seat at the executive and board table — not because they can see board-level problems, but because they can cost effectively solve board-level problems.

Douglas Ferguson, a security professional of over 20 years, is the founder and CTO of Pharos Security. Pharos specializes in aligning security goals and strategy to the business and a calibrated risk appetite, ensuring an integrated business plan and optimized ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: What Virtual Reality phishing attacks will look like in 2030.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-11
A cross-site request forgery (CSRF) vulnerability in Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
PUBLISHED: 2021-05-11
Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier does not perform a permission check in an HTTP endpoint, allowing with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
PUBLISHED: 2021-05-11
Jenkins P4 Plugin 1.11.4 and earlier does not perform permission checks in multiple HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified Perforce server using attacker-specified username and password.
PUBLISHED: 2021-05-11
A cross-site request forgery (CSRF) vulnerability in Jenkins P4 Plugin 1.11.4 and earlier allows attackers to connect to an attacker-specified Perforce server using attacker-specified username and password.
PUBLISHED: 2021-05-11
Jenkins Xcode integration Plugin 2.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.