5 tips for winning a bigger cybersecurity budget
Despite the constant stream of data breaches and ever-larger criminal attacks against healthcare and other organizations, CIOs and CISOs are facing a stumbling block when trying to win approval for a larger security budget: Upper management questioning whether they can execute on proposed projects.
So how to convince them?
Researchers uncovered a fistful of tactics while compiling a report titled Identifying How Firms Manage Cybersecurity Investment. Authors Tyler Moore, Scott Dynes and Frederick Chang of the Darwin Deason Institute for Cyber Security at Southern Methodist University in Dallas offer the following five tips.
- Get breached. The most dangerous, and perhaps obvious, technique is also a sure-fire guarantee. While no healthcare organizations would or should intentionally trigger a breach, one CISO told the researchers that "upper management has gotten religion about how important security is." Translation: organizations that have been breached tend to react with substantial security investments.
- Make security real. Short of an actual breach, of course, there are ways to instill the security religion. Demonstrating existing vulnerabilities is one; another is to point to high-profile breaches such as Anthem and even to institutions outside healthcare, most notably Target. Dig a bit deeper than the headlines to find out what happened, how much it cost the organizations and other ramifications as examples of what is possible and, in turn, should be taken into account within a corporate-wide security strategy.
- Institute a framework. The authors described this as a "tried-and-true" approach and explained that "a custom framework built on ISO and NIST guidelines has satisfied management that the CISO has a solid plan for investment." In addition to using the framework to demonstrate vision, many CISOs reported harnessing it as a communications platform for "bridging the gap between IT thinking and business thinking," by using the tool to make security threats and risks more clear, easier to understand.
- Play the compliance card – but do so wisely. It's a mantra chanted time and again in the healthcare realm: security-by-compliance just doesn't cut it. Indeed, meeting HIPAA requirements is not enough but providers must manage just that and, as such, compliance is an effective way to get projects funded. But "the most effective CISOs tended to avoid making cases based primarily on compliance alone. As one CISO remarked, 'I try, in everything that I communicate about why we're investing in security, I always try to make the compliance argument the last thing because I think that way too many programs are aligned around 'What's the minimum thing I have to do to get a check mark? And if I get a check mark I must be fine'. I don't really talk about the security program from a compliance standpoint very often."
- Consider return on investment. This is a difficult tactic because cybersecurity has traditionally been viewed as something of a cost center, with One CISO saying "in security, ROI is a fallacy," and only a small number of participants indicated that they use ROI metrics. "The interviews themselves made clear that there was much more focus on process measures than outcome measures," the authors wrote. "A focus on controls – finding and fixing gaps between current and desired cybersecurity posture – dominates. There is much less focus on the actual results of cybersecurity efforts, such as examining costs and the effectiveness of controls."
Flipping the perspective around offers another finding to be bear in mind: What's not driving larger investments?
"Cost reduction was only selected as a top driver by one respondent. Even though security is often portrayed as a cost center to the business, few CISOs view security spending as an opportunity to reduce costs for the firm. Customer requirements, while selected by a few respondents, is also not widely seen as a driver of security investment."
What tactics have – and which have not – worked to earn you a bigger cybersecurity budget?