Risk is up and budgets are down
Organizational cybersecurity is a business issue, one could even say a finance issue, not just an IT issue. Gone are the days when cybersecurity was a luxury investment. Worldwide attacks are growing daily in frequency and complexity, regardless of the business size, and strong, preventative cybersecurity is now a vital component of the ongoing operations of any sensible organization.
Since the disruption of COVID, the cyber threat landscape has changed. More people are working remotely and using their own devices. Security teams have less insight into day-to-day employees’ activities and projects outside their own teams. Recruiting and retention now means spending more to keep the best in a time of skill shortages and workers changing jobs at historic rates. Budgets are tighter than ever, overheads are rising, and many organizations have been forced to cut back spending across the whole enterprise. As such, busy CISOs need new ways to find funding and justify sustained or increased budgets.
Clean your own house first
Before CISOs start to look elsewhere they should look at their own department and how their existing cybersecurity team can save time and money. Obviously, this makes sense, but it also shows that you have already taken action when you reach out to find funding in other parts of the business and have already cut back on those non-essentials and consolidated licensed software and operational overheads.
Evaluate and consolidate your existing security tools. This will help to cut back on unnecessary costs, reduce overall security clutter, minimize the necessity for high departmental skills, save critical time-to-action and unnecessary effort, eliminate overlapping functions, and generally streamline the management of a business’s IT security posture. All of this looks good when looking for funding from the wider business when the monthly SaaS bill is already making savings each month.
Save both time and money by ensuring your team has clear visibility into data and cutting down on clutter from notification fatigue. Relieving the pressure caused by erroneous and unnecessary alerts and automating laborious manual tasks means more team time can be spent on other tasks. These might include adding value through security training (which gets the team, and its importance, seen across the wider organization), security exercises, ongoing cybersecurity assessment, documentation, reporting, and educated incident response. Focusing team time on mitigating the real threats is a genuine return on investment (ROI). ROI is what those who hand out budgets want to see.
Showing others the money
It’s very likely that your business already has a roadmap for cybersecurity and for quarterly budgets, which usually include a spending plan based on pre-defined expenses and expected income. This will already identify available capital, estimate departmental outgoings, and is there to help predict outlay and revenue, to plan business activities, and to dictate financial spending. It doesn’t change mid-flow – it’s deliberately written in stone to give a department limits and expectations – changing that budget outside of the designated budgeting period is, barring extreme emergencies, a no-no.
Year on year, as with most departments in a business in-line with inflation and growth, the cybersecurity budget will need to increase. Each year to justify this increase, it’s common to communicate a credible and valid need so that others, particularly those in a financial management/C-suite capacity, can better understand the reason for a rise in proposed spending. To a degree, this is expected, but considering the current changes such as the rise in remote working, bad actors continuing to exploit the COVID-19 crisis, the increase in app production, the rise in ransomware attacks, the migration towards cloud services, warnings from government services about potential threats, and many more factors, cybersecurity teams will inevitably require more strategic funding in the months to come.
Once you have shown what you have already saved, show your stakeholders what you will need to succeed by showing them the ROI from any investment. Illustrate, for example, the cost of an insider data breach vs the cost of protection. Demonstrate the cost of fines for a breach to the General Data Protection Regulations (GDPR) or Data Protection Act (DPA), both financially and to reputation. Show them the frequency of attacks in their industry, and how many of their competitors are attacked by ransomware or DDoS attacks every day. Our own Imperva Cyber-Threat Index shows monthly measurement and analysis of the global cyber threat landscape across data and applications and maxis for sobering reading. For those who work with numbers, numbers like these compared to the cost of investment make for good financial sense. By clearly and concisely showing them the financial risk of not investing enough resources and budget is a risk so prevalent, focusing on the specific needs of a business over general trends, you can offer a genuinely persuasive argument for appropriate investment.
Show what any investment would actually bring to the business – for example the saving in colleague hours, equating to money, of automating insider threat management, automated reporting, or reduced false positives. Cybersecurity goals are business goals – uptime, productivity, safety, compliance, efficiency, and any argument should be pitched accordingly.
Making internal business partnerships
In addition to cutting back on expenditure and demonstrating ROI to your C-suite, there are other areas in which it’s possible to find a little more cybersecurity budget.
It may be possible to convince other areas of the business to include elements of cybersecurity costs into their own budgets. If a department is tasked with developing a new application that’s a strong case for runtime protection. Creating a new web presence for eCommerce will require DDoS mitigation, insider threat protection, bot management, WAF firewalls, account takeover protection, APT protection, and maybe more. If CISOs can add cybersecurity costs to the budget of other departmental projects, so much the better. It will be necessary to convince other areas of development that developing projects without considering security could put the business at risk, but this is an unavoidable truth and many of these arguments can be circumnavigated – once again – with solid ROI facts and figures.
Get legal and HR on your side. A strong argument for cybersecurity should come from the wider business. It is, after all, everyone’s responsibility. If you have other areas acting as your champion, insisting on staff phishing training or regulatory compliance, it will go a long way to bolstering your case for increased investment.
A security-first culture
Developing a culture of security, based on a common language and understanding of roles, responsibilities, and consequences, is important to an increase in investment. Showing our colleagues that funding for the right tools, the right people, and the right strategy will offer the right protection (e.g., the return on investment, in line with organizational goals, etc.) is going to be the crux of your argument for improved budget spending.
It is important for everyone in the organization to adopt a cybersafety-conscious mindset. People need to see the value of IT security, as well as be abreast of common email phishing and whaling tactics. Security teams need to foster a culture of responsibility where taking the time to consider the security implications of actions, through email, by phone, email, or via social media is paramount. The ramifications of not investing in a stronger cybersecurity posture are obvious. Put them in a language everyone can understand and help your organization see that cybersecurity is a business issue and a finance issue, not just an IT issue.
Try Imperva for Free
Protect your business for 30 days on Imperva.