How CISOs should advocate for cyber budgets

A person at a computer in contact with many people securely.
(Image credit: iStock)

Chief information security officers (CISOs) play a critical role in safeguarding an organization's digital assets and IT infrastructure against an increasingly complex landscape of cyber threats. Not only are they responsible for developing an organization’s cybersecurity programs, but they also have to consistently present new ideas to the board, who, more often than not, lack the technical understanding of a CISO or other high-level IT roles. CISOs must not let the budget cycle slip away, missing out on a crucial opportunity to acquire the necessary tools needed to bolster their organization's security. 

Data from YL Ventures shows that more than half of CISO budgets are decreasing or unchanged, making it even more crucial for CISOs to justify their cyber budgets to the board. This requires them to effectively communicate the fiscal impact of potential breaches and show the significance of cybersecurity intervention, risk, and the potential return on protective investments in comparison to the hefty losses associated with a breach. 

The process of forecasting for the approaching business year is primarily determined months in advance — ideally before the end of Q3. Developing a budget framework early will give a better view of what investments are possible in the coming year, and where allocation will be most worthwhile.

Mark Bowling

Chief Information Security and Risk Officer at ExtraHop.

Decoding cybersecurity for business leaders

Cybersecurity and IT solutions are highly technical, and CISOs must articulate the benefits of investing in these solutions and how cybersecurity objectives align with the organization's overall business goals.

It is important here for the CISO to speak the language of the business and be portrayed as a communicator, not a planner or a technologist. By highlighting how robust cybersecurity measures can support revenue growth, customer retention, and brand reputation, they can help the board recognize that cybersecurity is not just a technical concern, but a strategic imperative. 

CISOs need a readily accessible and well-documented list of supplementary items requested in specific circumstances. This will enable them to provide additional information on spending opportunities to corporate boards or CEOs, especially considering events like Solar Winds or the CISA Shields Up Alerts. The items on the list should be thoroughly justified and explained to ensure transparency and accountability.

Presenting cybersecurity concepts and solutions in terms that resonate with board members' priorities and concerns helps bridge the gap between technical experts and decision-makers. This is why the CISO must do more than simply present. They must first listen and learn, so that the other stakeholders have confidence that the CISO is proposing solutions that address risks facing the enterprise. 

Quantifying risks and showing truth in security

CISOs can assign a measurable value to cybersecurity investments by assessing the potential impact of breaches. Rather than presenting a vague and catastrophic scenario, it is more effective to identify specific areas of vulnerability and the potential risks they pose. Through a comprehensive risk assessment and mitigation strategy point of view, backed by research, CISOs can identify and articulate the various cyber threats the organization is susceptible to, along with estimating the potential financial and reputational losses that could result from a breach.

There are two main ways to decrease overall risk: managing the probability of an event occurring or managing the consequences of an event. Measures such as detection and prevention can help decrease the likelihood of an event happening while having insurance, cloud backups, and incident response plans can help minimize the impact of an event.

Using industry data and trends to back up the assessment will paint a clearer picture of the “why” and necessity for cyber protection. New data from ExtraHop indicates public companies that experience a data breach can see their stock price fall by an average of nearly 9% in the year following the incident. These companies also report an average 73% drop in net income, showing the longevity and wide consequences of a breach not only on the organization, but on customers and shareholders as well.

By conveying how cyber incidents can disrupt operations, cause downtime, and lead to financial losses, CISOs can stress that cybersecurity is about protecting data and preserving the organization's brand reputation and ability to operate without friction. By implementing controls that ensure the system's resilience from disruptions, the CISO can minimize reputational risk and maximize system availability.

Demonstrate success and return on investment

Regulatory fines and legal actions resulting from data breaches can have substantial financial consequences. By showcasing how cybersecurity investment can help the organization avoid such penalties, CISOs can underscore the importance of proactive measures. 

The same report from ExtraHop mentioned above indicates that the average cost of a data breach for a company in the U.S. is around $9.44 million. When this number is compared against the costs of controls, remediation, and countermeasures, the value of the reduced risk becomes evident.

Additionally, developing and presenting various cyber breach scenarios can help contextualize the potential impact on the organization's operations, reputation, and finances. By outlining different attack vectors, the extent of data exposure, and the subsequent fallout, CISOs can highlight the importance of cybersecurity investments in mitigating these risks. Leveraging metrics, data, and visuals can help CISOs present complex information in a digestible format.

An organization's primary goal in cybersecurity is to establish, propagate and maintain trust. All investments in cybersecurity should align with this mission, and all business leaders should work towards it. It is important to keep company leaders informed of significant accomplishments and share detailed reports that highlight the prevention of losses, such as the number of thwarted attacks. This approach quantifies the effectiveness of security solutions and proves the value of the product.

By establishing a solid business case and quantifying potential breach costs, CISOs play a pivotal role in helping the board recognize that cybersecurity is not merely an expense, but a required strategic investment that can safeguard the organization's reputation, financial stability, and long-term success.

We've featured the best identity management software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here:

Mark Bowling is the Chief Information Security and Risk Officer at ExtraHop.