Protecting against cyber criminals can be a daunting task. The threats are constantly changing, the criminals are becoming more sophisticated, and the attacks are becoming more numerous. Many CISOs have been left struggling to decide which security products represent the best use of their budgeted funds. By exploring the reasons why allocating funds for security products can be a struggle, a simple trick emerges which can help make all of the pieces fall into place.
Why Budgeting for Security Products Is Complicated
Increasingly, CISOs are expected to justify expenditures in terms of the return on the investment. CEOs, CFOs and most other C-suite executives want to see "hard numbers" that explain exactly what they are getting for the money they are spending. However, security does not lend itself to the metrics that are typically used to justify capital expenditures. Most of the benefits delivered by security products are intangible. For example, if a CISO wants to spend $100,000 on a firewall, his justification may include information about the threat and the company's vulnerability as well as case studies of companies that paid dearly for ignoring threats and vulnerabilities. Unfortunately, this information may carry little weight with those who need to approve the expenditure; they simply cannot convert the information into a business case and RoI dollar amount.
Budgeting can also be complicated by the CISO's lack of insight. CISOs need visibility into what each security product provides, including whether each product is being used effectively and whether each product is yielding the expected results. They also need easy access to historical data, including the types of attacks that the company has faced and is most likely to face in the future. For example, did hackers launch a persistent attack or was malware introduced when an employee fell victim to a phishing campaign?
The more knowledge that the CISO has, the easier it will be to allocate funds correctly. Historically, most CISOs have focused on attack prevention, investing significantly less in detecting and responding to threats. Cybercriminals have repeatedly demonstrated that, with persistence they can penetrate most preventive security, including firewalls, single-factor authentication and signature-based antimalware. Preventive security products certainly ensure that not every hacker can succeed, but a sophisticated criminal may still penetrate an organization’s defenses — and it takes only one success to potentially ruin your organization’s reputation and business.
One Simple Trick: The Security Scorecard
At its most basic definition, cybersecurity is about managing risks. The assets that require protection, the threats that place the assets at risk, and the potential harm to the company that a successful attack could cause are all terms that most managers understand. Disaster recovery, business continuity and regulatory compliance are also concepts that C-level executives can grasp. CISOs have access to vast amounts of data that can be used to identify and assess risks, but how can they present this information — much of which may appear incongruous to those not involved in cybersecurity — in a way that will not be overwhelming or difficult to understand?
The answer is a security scorecard. What CISOs need is a platform that can give them visibility into all of the security products that the organization employs. A security automation and orchestration platform serves as a hub that connects all security products. This allows a security scorecard to be built for incident response functions. CISOs can then use the scorecard to make informed decisions about budget allocations for various security products. The scorecard also provides valuable, organized information that can be used to justify expenditures or allocations for those who may need to issue the final approvals.
Scorecards can help CISOs frame information in ways that other executives can relate to business goals. After all, cybersecurity is not a freestanding silo that has no connection to the rest of the company. Digital risk management touches every department, from human resources to marketing. Cybersecurity products must contribute to helping the company achieve its overall goals. CISOs can use scorecards to demonstrate how security products relate to business goals. For example, if the company's goal is to maintain its reputation for integrity, scorecards can help prove that a successful breach could damage the company's reputation. If the goal is to make information easier for field personnel to access, scorecards can help demonstrate that without adequate security, the plan would not be viable. The key is to determine what the company cares about the most; if the leading concern is confidentiality, discussing the easy access to information could undermine the CISO's efforts.
As the number of security products continues to increase, CISOs will face an ever-changing list of vendors offering new takes on the world of cybersecurity. At the same time, CISOs are going to be held increasingly accountable for their purchases. They are going to need to employ every trick they can find to help them justify their needed expenditures.
CISOs must not be too hasty to discard security products that are still useful and effective, but must be willing to pursue advanced technologies that can help them keep their organizations secure against ever-evolving attacks. There is no universal way to allocate a security budget. Instead, each CISO must consider the threat surface, the adequacy of legacy products, and the availability of innovative security products to decide how to serve the needs of the organization properly. Security scorecards provide a useful tool for CISOs who are still struggling to decide on the best way to allocate funds for various products.
This article was originally posted on: https://gcn.com/articles/2017/10/19/budgeting-for-security.aspx