“Many boards now have a clear focus on information security risks. This is not always reflected across the broader organization. Security and risk management professionals must manage and defend security budgets to meet stakeholder expectations of protection.”
These words, published on the Gartner website, are frustratingly true for many firms out there.
CIOs oversee the accessibility, confidentiality and integrity of files and systems. This means they must introduce new and maintain old systems, ensuring everyone can who is authorized to access them can, keeping those unauthorized out. They must also ensure that files and systems have not been tampered with or compromised in any way.
CIOs are also responsible for securing and allocating budget.
And more than a few CIOs out there are losing a major battle in the boardroom. They are failing to get enough budget to adequately secure the systems and environment, not to mention comply with the numerous legislations from federal, state and industry bodies.
Considering that all the different systems we, as users, expect to use seamlessly is growing, securing IT budgets is continues to be a very difficult process.
Here are three tips to help bolster your request for security budget.
If you don’t check or get regular verified assessment reports on the current state of your systems, you cannot have an accurate sense of your risk posture.
Consider this scenario: your systems are superbly defended, but lax configuration options and poor login management has made your network much more vulnerable to an external attack or data leak,
or perhaps you have legacy apps lurking around on your system…
Any of these could happen to any system that is not properly or regularly monitored.
We recommend you consider investing in a full risk assessment, which includes vulnerability scans and an in-depth penetration tests. Work with a reputable information security firm with proven business acumen. They should provide a stake-holder readiness report as well as a remediation plan from which you can derive budget numbers.
Review the findings carefully and isolate the top three findings that impact business-critical systems. Focusing on these three elements and build detailed strategy proposals to remediate the issues with least disruption to resources and services.
An additional bonus is that in-depth knowledge of your systems will help build your credibility as a trusted senior stakeholder, improving your chances at future budget meetings.
Learn more about Risk Assessments
Many CIOs depend upon news clippings and cyber stats to help build their case for additional budget. It is known as the FuD (Fear and Doubt) inducing approach.
Boards often find it uncomfortable to invest significantly in a defensive strategy when the cyber enemy is largely theoretical. The fear the expenditure will never pay for itself makes IT security budget requests more vulnerable to push back.
However, many regulatory requirements, such as PCI, HIPAA, and the soon-to-be introduced GDPR pose a very real threat to the company bottom line in the form of fines.
These regulations require data security implementations, regular penetration tests and system monitoring, not to mention anonymization and encryption policies. Failure to comply can also lead to stiff fines and public brand damage.
CIOs have an opportunity to improve their overall risk posture through compliance. Demonstrate how complying with these regulations will significantly improve your protection of the business as well as getting the appropriate tick in the compliance box.
Learn more about Compliance Requirements
If you do not have a CISO in place who can help you manage the cybersecurity implications, management and policies, the task of building a board-level case for IT security investment is more complex.
An on-demand CISO might be the answer – a external expert who reports only to you so they cannot be dragged into other projects.
This can be a financially efficient approach to getting ready for a board budget meeting. The CISO On Demand service could be used to ensure you are fully updated on all compliance requirements, fill you in on the latests security trends and provide practical and broad experience on what tools and services best serve a firm with your business goals. They can also organize risk assessments and make sure you have that information you need when you go into fight for budget.
Learn more about CISOs on Demand
No matter how you decide to approach it, we recommend you prepare well and focus early. And if you do decide to go with outside experts, ensure you vet them properly. Here are 43 questions you can – and should – ask potential CISOs, penetration testers, etc.