Winning Budget and Trust as a CISO

Matias Madou, Co-Founder and CTO, Secure Code Warrior

Nearly thirty years after the first CISO role was established at Citicorp, the role finds itself in a difficult position. The demands have never been higher—more assets to protect, a larger attack surface, more incidents than ever before.

Every company today is a technology business, digital-first in its approach and embracing new ways of working. But this means that every modern business has a far bigger attack surface that needs the best possible protection. Cybersecurity is viewed as a cost center, and even though it is vital in shielding businesses from digital disaster, security leaders are having to do more to show that their department is worth its budget spends. How can CISOs best advocate their value?

Change the conversation—Every department is currently fighting for funds and facing scrutiny for the products they buy, the hires they make, and their strategic impact on business objectives.

There’s a need to communicate the outcomes of cybersecurity initiatives in terms that make sense outside of numbers in a spreadsheet. Stakeholders have different levels of technical expertise and understanding, so the case needs to be compelling and understandable. They will likely want to know: what in the business needs to be protected, how is it done, and by whom? And how does the business’s cybersecurity budget compare with the scale of attacks?

A business that suffers a successful attack will undoubtedly lose trust. That makes security leaders custodians of customer trust—keeping it is just as vital as prioritizing sales and marketing goals and should take part in any high level discussion on the value of cybersecurity. Taking the discussion in this direction will be more productive in the long term than scare tactics.

Prove the value—Sometimes big numbers just sound like big numbers. The statistics around cybersecurity attacks may seem like they’re guaranteed to win any argument around budgets, but sometimes scaremongering just isn’t enough. Sure, cybersecurity is a priority, but it’s not the only one. When advocating, CISOs need to prepare to answer: is this budget increase going to be used for anything new or different?

Only 50% of companies feel they have an adequate budget to tackle their known cybersecurity issues. And with global cyberattacks increasing by 38% between 2021 and 2022, stagnant or decreasing budgets are going to prove painful for many CISOs. Innovating through adversity and proving the value of the cybersecurity team could be the answer many senior security leaders are searching for.

‘Prevention is better than cure’ is a cliche for a reason—it’s mostly true. A holistic cybersecurity program must extend well beyond reactive measures, including getting developers on board. It should include education to tackle common security bugs, eliminating these issues at the source. By making developers essential members of the security team, and upskilling the development cohort, CISOs can improve security practices and demonstrate its worth beyond reactive protection.

Security as a brand—If CISOs wanted to do marketing, they wouldn’t have become CISOs. But it’s an area where most CISOs can improve, particularly when selling their case to management.

The impact of a cybersecurity program on customer trust and brand loyalty is more important than ever, and a large-scale breach can be disastrous. How should this be communicated? Not necessarily through big scary numbers and the tools that can prevent it. Instead, security should be sold as a part of a company’s brand. Aligning the company’s stringent security practices with core brand values means a clear message that customers can rely on the organization for data privacy and protection. It’s critical that the modern CISO takes the time to highlight the competitive advantages of security strategy and policy as it relates to ongoing positive customer sentiment and trust.

Ad

No posts to display