Fantastic article by Douglas Ferguson in Dark Reading about the challenges CISO’s face in the C-suite area, battling for money. The challenge of IT and infosec is often that, if things are going well, it’s tough to get investment from higher up to KEEP them going well. After all, if you give an increased budget to the sales team to hire more sales reps, the company would likely see an increase in revenue. Pretty straightforward.
However, if the CISO asks for more resources to develop their pool of analysts or implement a new tool, it’s often met with pushback. The CEO says, well, things are okay now, so you don’t need more money to keep not being hacked. In fact, maybe the Cybersecurity team can figure out how to keep doing what they’re doing, but with a smaller budget…
This article illustrates a simple but arresting way to help a CEO and her team grasp cost vs. reward. If you quantify the risks (of data loss, of a malware infection, etc) and tie it to the resources spent, you can make a simple slider or graphs. Eg, (and I’m totally making these numbers up…)
- (InfoSec Budget-25%) = 9% likelihood of a security breach.
- (InfoSec Budget) = 6% likelihood of a security breach.
- (InfoSec Budget +25%) = 3% likelihood of a security breach.
Quoting from the article…
By framing security this way, risk appetite becomes clear in the most meaningful way, based on the willingness to balance spend against potential risk outcomes.
The CISO (or whoever is advocating for the blue team budget) can help the decisionmakers understand they are accepting more risk based on the level of protection they are willing to invest it.