CISOs face many hindrances while beefing up the cyber-security of their firms. One, however, towers above all: budget.
There is an acute skillset shortage in the industry and the training and development budgets hardly meet essential needs, according to industry leaders speaking at the Infosecurity Europe 2019 conference in London.
"We all recognise that it is really important to train and upskill the engineers we have today to become cyber-security experts over the coming years," said cyber-security consultant Mo Ahddoud. "But often, when you are putting your security strategy together, this training budget is one of the first things to be reduced, if not cut."
He cited the example of a tech leader who pitched a new proposal to management, only to receive a question: Can you do it cheaper? "I think the cultural perspective of the organisation need to change there," Ahddoud said.
Convincing engineers about the need for training and new systems is a major step in getting support for the cyber-security budget, observed Robert Orr, principal consultant at Context Information Security. "A lot of people who never had exposure to cyber-security, including many engineers, don’t want to appear stupid before their colleagues. We tend not to ask dumb questions," he said.
Qualitative assessments instead of listing the possible monetary benefits also act as a deterrent, Orr said. "We can’t persuade people to invest in security because we never do quantitative risk assessment. We should list cyber-security in terms of pounds and dollars, so that the business executives can measure their investment on the risk perspective."
A report by the Boston Consulting Group (BCG) earlier this year said the question "are you spending enough on cyber-security?" puts business leaders—including CEO, chief risk officer, chief information security officer, even chief financial officer—in a difficult position. "A ‘yes’ will leave you precariously positioned if—or when—your cyber-security falters. Say ‘no’ and you’ll likely trigger a scramble to purchase something—anything—that can reverse that answer and protect you from the perception of negligence," said the report.
"Businesses have to demonstrate a return on their investment," said Raj Samani, chief scientist at McAfee. "We need to demonstrate and articulate value that we provide back to the business." He pointed out that there was never a business case written that showed a demonstrable return on the investment on the budget allocated for a security programme
"When the marketing departments demand X amount of money, they also provide Y amount of leads for that," he said. Citing the example of a client, an oil company that doubled their business after they went ahead with their business streamlining with adequate security, Samani said the security department has to show their contribution in terms of benefits.