CISO November 15, 2018
By Joan Goodchild 4 min read

Despite frequent news headlines describing large-scale data breaches around the globe, chief information security officers (CISOs) still struggle to justify security investments to top leadership. According to Gartner, security spending makes up only about 5.6 percent of overall IT funds.

Whatever security budget is ultimately approved by enterprise leadership, it’s up to CISOs to optimize the allocation of that money. More funds might help, but only if they know how to spend it effectively — and that planning starts before the first pitch. Let’s take a closer look at four key steps security leaders can take to maximize their return on security investment.

1. Assess Risks, Assets and Resources

A CISO should first thoroughly evaluate the systems, data and other business assets that are both valuable and potentially at risk in the organization. Today, this makes up an ever-evolving network, and priorities will shift over time to reflect changes in the business and the threat landscape.

“You should first identify and document the assets you need to protect most,” said Jo-Ann Smith, director of technology risk management and data privacy at Absolute. “What’s important to your business, and what are the main threats to your systems and data?”

That evaluation needs to take place before you even set foot in the executive office or boardroom to advocate for security. Its findings will be foundational to the security program’s goals and budget recommendations. Technologies purchased and the needs they serve will be unique to each business.

In other words, the results of the initial review could mean many different things for different CISOs. The general models provided by industry frameworks can help security leaders shape priorities and identify gaps specific to their businesses.

Kip Boyle, CEO of Cyber Risk Opportunities, noted that the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is the best method to assess cyber risk.

“We find that most companies are underinvested in such key mitigations as indemnity contractual provisions with suppliers and customers, antiphishing training, cyber insurance coverage and crisis management planning,” he said. “Yet these are all crucial to mitigating modern cyberthreats.”

Listen to the podcast series: A CISO’s Guide to Obtaining Budget

2. Align the Security Budget With Business Goals

When demonstrating the return on security investment to executives and board directors, security leaders must speak the language of money. How does security serve the business?

“CISOs should always align with the business when evaluating how to spend,” said Larry Friedman, CISO at Carbonite. “Security spend should be calculated based on the risk associated with assuring continuity with important business processes.”

This goes beyond protecting data and maintaining regulatory compliance. Seeking opportunities to use security funding not just for risk mitigation, but also to boost revenue and accomplish other business wins such as enhanced productivity, helps the CISO position security as a dynamic business enabler rather than a static cost center.

The CISO should implement automated security intelligence and analytics tools to reduce the security team’s busywork and help it focus on more strategic projects. As you analyze opportunities for investment, consider not only how much they cost, but also how much they could save the company or add in value.

3. Hire and Train Good People

The oft-lamented cybersecurity skills gap shows few signs of closing. A recent report from the International Information System Security Certification Consortium (ISC2) placed the worldwide cybersecurity skills gap at almost 3 million unfilled positions, and about two-thirds of businesses believe they have inadequately staffed security teams.

It stands to reason that one of the best investments in a security program is an effective staff. However, in a tight market for employers seeking talent, organizations may have to look inward and invest in training employees who otherwise might not have considered a security career.

By training people that are already part of the organization and recruiting them to work in security, CISOs can offer opportunities for professional growth and build their security teams while taking advantage of the employees’ institutional knowledge.

4. Invest in Security Culture

An effective cybersecurity strategy must include a corporate culture in which every employee values security. But the “2018 Cybersecurity Culture Report” from the Information Systems Audit and Control Association (ISACA) and Capability Maturity Model Integration (CMMI) Institute found that most organizations still struggle with establishing a security culture. In addition, 95 percent of survey respondents noted a gap between their current and desired organizational culture of cybersecurity.

What does it mean to build security culture into business? It’s means getting all employees — from the security team to the executive suite — to feel invested in the company’s security and risk posture and to engage in secure behavior. Investments in security culture could include initiatives such as awareness training, a secure development life cycle program, and rewards for employees who demonstrate compliance and report incidents.

Some numbers bear out the benefit: According to the ISACA/CMMI study, organizations that reported an inadequate security culture are spending 19 percent of their annual cybersecurity budget on training and awareness. Firms that report stronger cultures spent a share more than twice as large on average (43 percent).

In an ISACA blog post about the study results, Heather Wilde, chief technology officer (CTO) at ROCeteer, noted that the benefits of security culture investment go beyond security. A majority of respondents (66 percent) said their organization experienced a reduction in cyber incidents, but Wilde noted that many other benefits were customer-facing: improved trust, stronger reputation and increased revenue, to name a few.

There is no simple answer to the question of how best to allocate security budget dollars, and the optimal course will vary widely from business to business. But a thorough assessment of a company’s current security posture and culture, along with an evaluation of how security can benefit business goals and enable the company mission, gives the CISO a road map for prioritizing investments.

Listen to the podcast series: A CISO’s Guide to Obtaining Budget

 |  |  |  |  | 
Joan Goodchild
Contributor

More from CISO
Incident Response   June 2, 2023

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read
Malware   June 1, 2023

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read
CISO   May 16, 2023

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read
CISO   May 4, 2023

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read
© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature