#HowTo: Approach Budgeting as a CISO

The role of a CISO is to protect the business, its people and its data. A major part of this involves managing your budget to support business priorities. According to Gartner, by 2023, 30% of a CISO’s effectiveness will be directly measured on their ability to create value for the business. This means that any cybersecurity program should align with the business plan, protect existing revenue sources and have controls in place for newly created revenue streams from new products, acquisitions or new locations.

Expand Relationships with Other Departments

Where possible, demonstrate how your budget decisions link directly to how your business generates revenue or accomplishes other business goals such as operational efficiency. This will establish you as a business partner and cybersecurity as a business enabler rather than a cost center.

Alongside this, you look at how to demonstrate your business acumen as well as your technical expertise. Wherever possible, you should explain cybersecurity risks based on business impact and use business language and risk profiles to find ways to enable new initiatives while minimizing those potential issues over time.

Taking this risk-based approach does require you to develop strong relationships with multiple business functions within an organization. This involves finding common ground to start with and then using these concerns to engage in a consultative manner on ways security can help. By starting with business concerns, you can link your budget spend to results.

Know What You Have in Place

A typical approach to allocating the budget will start with your most important priorities. However, to deliver this, your priorities have to be accurate. The budget cycle should begin with assessing company assets and risks and an accurate overview of your IT assets and resources. Understanding the most critical assets for the business will ensure they are assigned adequate protection, but you also have to know everything that is in place.

The assessment findings will be integral for your budget planning and recommendations. For instance, it’s still quite common to find companies that don’t have accurate IT asset inventories or lack key mitigation elements such as anti-phishing training, cybersecurity indemnity contractual clauses with business partners, cyber insurance coverage and crisis management framework.

An effective budget must also include allocations for security training and culture development, so every employee values it. Security culture means getting all employees to be part of the company’s security and risk posture and to engage in secure behavior. These investments should also recognize role model employees in compliance and incident reporting.

Look at Your Approach to Skills and Automation Together

One of the best investments any CISO can make is in skilled people. With the market skill gap, it’s very difficult to acquire and retain talented security professionals. As a result, you should invest in developing your existing employees as much as possible, as well as maintaining a culture that retains them.

You should look at how to automate and make your staff more effective. Security teams can operate in stressful environments, so helping your team be more efficient will make their lives easier and deliver better security as well. As you analyze potential investments, consider how much they cost and how much they could save.

Taking away manual process steps with automation links back to the culture side too. Building a high-performing security team in-house does take investment, but it is better to develop your people who already know the company.

Set Your Budgets Differently

Under the current challenging circumstances, cybersecurity budgets are predicted to remain at best steady. Consolidating your suppliers can help deliver more with less, particularly by reducing the proliferation of point solutions to problems. Over time, vendors launch more complementary offerings to market, which can help you rationalize some of your security vendors down, resulting in significant cost savings.

For example, you can move to a shorter quarterly budget review rather than annual reviews. This will help you focus efforts and resources more precisely to where they are needed. If a vendor is not delivering enough value, then you can make a decision faster. 

From an investment standpoint, executives and board directors expect “value for money.” You should always align the business to the right level of security investment versus the risk to business impact and likelihood, based on business risk appetite.

Tell it Like it is

All budgets are reviewed over time, and all cybersecurity teams should report to the executive leadership team on their results. To make this effective, consider how to design meaningful metrics that demonstrate your contribution to business value creation as well as managing security risks. This should ensure that you have proper monitoring of your cybersecurity operations for continuous improvement and that you get support in the future.

To summarize, CISOs need to conduct a thorough assessment of current security posture and evaluate how security can contribute to business objectives and priorities. This will give you the path for prioritizing and managing your budget.

What’s Hot on Infosecurity Magazine?