Scott Schlimmer wrote a great post at CSO about the constant battle between profitable business investments and “unprofitable” security investments to protect the current bottom-line.
Despite the headlines, growth-oriented executives tend to prioritize other expenses. Here is an excerpt with a link to the post at the end.Despite repeated major, high-profile breaches, most cybersecurity teams still struggle to get sufficient funding. “After this hack, cybersecurity budgets are bound to increase.” We’ve all thought it. But, curiously, it may not always happen.
According to Russ Verbofsky, CIO and CISO at the New Mexico Department of Game and Fish, “You can pay me today or tomorrow. But tomorrow includes a press release describing that we weren’t proactive in protecting our data and systems.”
The problem is not necessarily lack of funds. Another CISO from a medium to large US state commented, “From what I have seen the issue is not necessarily that the money is not there, typically the issue is that security almost always competes with other operational priorities.”
So, what can a security professional do to get around this odd phenomenon and ensure the funding necessary to protect his or her company from becoming the next Equifax?
1. Speak their language
Cybersecurity experts have a habit of losing their audience and confusing them, often speaking too technically and with too many acronyms. If your board or executives doesn’t understand, they’re going to be more hesitant.
2. Use metrics and visuals
Focus on business-oriented metrics. How much monetary loss have your controls prevented? How many dollars are likely to be saved through the investment you’re asking for?
Also, you need to speak in charts. Executives need simple visuals to show these things. Picture the cliché charts of profits going up. If you can’t do this in-house, then it’s vital that you outsource this. It will pay off later, with increased buy in and budget.
3. Get outside verification
Another Fortune 500 CISO put it best. “Frequently, management doesn’t believe the experts they hire. After failing an audit, then they start to believe.”
Link to the full post with more detail.
Free Phishing Security Test
A great way to convince C-level execs is with the Phish-prone percentage of your organization.
Cyber-attacks are rapidly getting more sophisticated. We help you train your employees to better manage the urgent IT security problems of social engineering, spear-phishing and ransomware attacks. Take the first step now. Find out what percentage of your employees are Phish-prone™ with our new, improved free test.
PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:
This was cross-posted from SecurityIntelligence