Having a hard time getting security budget approval? Start by being relevant and communicating.
High-profile hacks of RSA, Sony PlayStation and LinkedIn, to name but a few, have brought increased attention to information security, but CISOs still face challenges in getting budget and business-case approvals. And who is to blame if the board doesn't ‘get it'? We are.
If we keep thinking that it's someone else's problem, nothing is going to change. CISOs need to be in control of their destiny. Nobody else will do it for us.
The current business climate is tough, and boards are under a lot of pressure to deliver on shareholders' expectations, strengthen the balance sheet and increase profitability. What a CISO needs to demonstrate is how the security function can help to achieve these objectives.
I have often heard it said that security needs to be a business enabler. Do business executives believe in it? Do they see the security function the way we want them to? Board members and senior executives do not necessarily share our passion for information security and risk. They have a number of things occupying their mind, and security happens to be just one of them.
We might think we are doing a great job, but what do our passion, activities and fire fights mean to business executives? What demonstrable value do we bring to the table?
Do they see relevance in our day-to-day activities and our initiatives? The reality is they often don't, and spend money on the security function only to comply with audit and regulatory requirements. Businesses have limited money to be spent on various initiatives, and security is competing for its portion with other functions within the organisation. Executives will spend just the amount that is required to avoid being fined. However, CISOs are looking for investments for security improvements and not just compliance targets.
In our day-to-day life, whether we are buying a service or a product, we expect to get desired value for the money spent. If I am paying money to Netflix monthly for an on-demand video service, I expect to be able to see films on my multiple devices any time of the day. If not, why should I continue to pay? The same goes for the board and business executives – they need to believe in the return when signing off the firm's security budget.
For most organisations, information security's proportion of the annual budget has been increasing year on year. What business executives struggle to understand, however, is what they are getting in return. They need to truly believe that services provided by the security function are relevant and support the delivery of strategic business goals and objectives. And I don't think that continued security incidents and industry research reports alone can do this for security leaders.
CISOs will succeed in getting desired budget and business-case approvals when business executives have greater trust and confidence in the security function. CISOs can help to bring this about by effectively communicating the business benefits of the security function. They also need to consistently meet business goals and objectives, as well as build allies and ensure senior executives know them for the right reasons.
In a nutshell, boards need to believe in the relevance and value of the security services being paid for. However, CISOs can't demonstrate this simply by going about their day-to-day activities – perception management, too, is very important.