Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/26/2019
10:00 AM
George Wrenn
George Wrenn
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

5 Ways to Champion and Increase Your 2020 Security Budget

Give your organization's leadership an impactful, out-of-office experience so they know what's at stake with their budgeting decisions.

Late in the summer of 2015, I orchestrated an off-site workshop with one of our biggest customers. I had two objectives: One was to create an unforgettable experience that demonstrated to executives how risk translated into strategy — and action — for the cybersecurity staff. 

And by scheduling this in fourth quarter of our fiscal year, the second, less obvious agenda was to make sure these same decisionmakers knew precisely what was at stake when it came time to debate my proposed security budget for the coming fiscal year. 

At least for my department, what had been mostly an academic exercise could then be imbued with a deeper understanding for the board about the real-world impact of their spending decisions.

As a global CISO, I saw the end of the year as a balancing act between short-term returns to finish the year strong and strategic investments to set my organization up for a successful new year. 

For many CISOs, the greatest end-of-year investment that they can make is bridging the gap between business and technology stakeholders. This is why I organized an experiential tour of one of our high profile customers, one with whom the board and CEO would be excited to visit and spend time. The tour included a presentation from our outside consulting team that discussed the risks of cutting edge technology when implemented without proper security measures. 

The event paid dividends, both short- and long-term. Because the CEO and board had a richer context to work from, they increased our security budget for the following year. And because other business leaders in attendance learned more about security, the company in turn developed a more risk-aware culture. 

For CISOs and security leaders looking to make a similar investment to fight security fatigue, here's my five-step blueprint for showcasing the importance of next year's cybersecurity investment — and emerge victorious from next year's budget negotiations. 

1. Be the Engineer, Not the Executor
As the cybersecurity leader, you want to secure more budget for your organization and the board and CEO know this. Consequently, you cannot be seen as the face of this experiential event. My recommendation is to source a consulting firm or collaborate with a team you're already working with to present this experience to the board and CEO. 

2. Create a Powerful Agenda
You may not be the front-of-the-room leader for the experiential tour, but don't delegate the day's schedule and pacing. Here are some criteria I settled on to create the first phase of the experience: 

  • Make it exciting: Find a customer or partner whose business your CEO and board will recognize and be excited to interact with. 
  • Align with your business: Ensure there are sufficient touch points between your business and the one you visit. The business challenges, the industry sector – there must be something relatable. Ensure that the board and CEO don't have to work hard to tie their learning back to your organization. 
  • Get out of the office: Remember, this investment is an experience. Creating an event that breaks the pattern and makes it more memorable and engaging for your CEO and board.  

Work closely with the third-party consultants, but in the end, you are the engineer for this experience and it's up to you to show executive leadership the risks the organization faces. The consultants in the room can help bridge the gap and make the presentation more relatable to business-side stakeholders. 

3. Show, Don't Tell 
The next part is the "shock and awe" that takes place back in the boardroom: Show, don't tell, your board and CEO what happens when that business's technology is used for nefarious purposes. If you tour a crane company, show them how white-hat hackers broke into IoT-enabled cranes. If you tour a connected home manufacturer, demonstrate how a hacker covertly accessed a Nest camera and talked to the woman in the house for hours. This allows your board and CEO to see the direct impact of cyber threats, and the direct impact to your organization and its customers and partners if these threats and risks aren't remediated. 

It's your best opportunity to show your board and CEO that business progress and innovation can be almost completely undone without strong cybersecurity and cyber risk management. 

4. The Direct Ask
Following the two-phase, hands-on experience, this is where you as the security leader take a presenting role. Illustrate to your board and CEO what you and your security organization are doing and capitalize on the realizations that have been made during the workshop thus far. Then be direct and clear: Tell them what you need to ensure that your organization and its customers don't suffer a similar fate. 

5. Where to Increase Spending
There are two prongs to increasing spending for your cybersecurity program in the wake of this experience: Incident response (and activities that fall under the Respond categories in the NIST CSF: response planning, communications, analysis, mitigation, and improvements), and increasing visibility and reporting at the executive level. 

Remember your priorities for this investment: Making your CEO and board care about cybersecurity and elevating cyber to a board and executive-level issue. I strongly discourage spending on another endpoint tool, and instead, trace the narrative of your entire presentation through to the outcomes that you're looking to achieve: A more resilient, cyber-aware enterprise. 

Specifically, investing in red-blue-team incident response drills whether tabletop or full mock exercises, will show your board and CEO that you're prepared for a real incident. Follow that with an investment in a solution that increases visibility into your cyber program. This is where you must implement integrated solutions that allow you to automate reporting and visualize your cyber program in a business context for the company's directors and executives. 

As we enter the last quarter of the year, it's critical to use up all your annual budget, and also use your budget effectively. Investing in an experience like this can shift how your executive management sees cybersecurity and break through general security fatigue. Executed properly, the short- and long-term wins will improve your risk posture and help business leaders make more informed decisions about security spending.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Home Safe: 20 Cybersecurity Tips for Your Remote Workers."

George Wrenn is the founder and CEO of CyberSaint Security, an integrated risk management company that streamlines and automates risk, compliance, and privacy programs. Prior to founding CyberSaint, George was the VP of cybersecurity (CSO) for Schneider Electric, a Global ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...