1 / 3

5 Approaches To Setting Cyber Security Budget – Comtact

At some point, every security team is faced with a very small budget to adequately protect the organization. At such times, it is important to understand how the internal financial u201cgameu201d works.<br>This sildeshow will include five tips to help you persuade decision makers to allocate more money to cybersecurity.<br>For more details, visit: https://comtact.co.uk/<br>

jbennett07
Download Presentation

5 Approaches To Setting Cyber Security Budget – Comtact

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 5 Approaches To Setting Cyber Security Budget– Comtact Nobody likes to talk about budget. Moving is never enough, and most decision-makers prefer to focus on cybersecurity rather than revenue-generating activities. At some point, every security team is faced with a very small budget to adequately protect the organization. At such times, it is important to understand how the internal financial “game” works. This article will include five tips to help you persuade decision makers to allocate more money to cybersecurity. Tip #1: Speak Their Language When it comes to securing a budget for any company, the first step is to buy and sell to the decision makers, whether it's a board, an executive team, or a single executive. This is easier said than done, and there is no single formula for success. However, there are a few things to keep in mind: 1.Focus on business language, not technical metrics. In general, talking about risk and loss prevention is more compelling than making overwhelming decisions with cybersecurity data. 2.Showcase the risk and potential impact of cyber incidents on your organization. For example, the average data breach in 2021 will cost UK businesses around £3.5 million, and that figure is up more than 20% from the previous year. Costs are naturally low for small organizations...but not too low. Institutions below 500 staff still have an average data breach cost of 2.2 million. Educating decision makers with such figures from reliable sources can go a long way in adding credibility to your budget request. 3.Show how security can be different for an organization. This is easier in some industries than others. If this is not possible, show why it is a necessary expense of doing business, for example, because loss of customer confidence can have devastating consequences. 4.Showing is more effective than telling. If decision makers don't understand security, consider running them through a virtual exercise (for example, a ransomware attack) that shows how the threat might enter the network, what might happen next, and what the consequences might be. 5.Decision makers are likely to listen to discussions of risks, for example ransomware or supply chain attacks.

  2. Only you can find out what decision makers want to see in a business case. Connect with colleagues across the organization and find out what worked (and what didn't) in the past; then use the information to your advantage. Tip #2 – Enable Security Over the last two decades, cybersecurity has developed a bad reputation as a function: 1.The money is spent for business purposes; and, 2.Actively blocks business progress by delaying important initiatives. Let's be realistic. No one wants to put too much money in the expense center…and they don't want to put money in the expense center, especially on income-generating activities. We need to go beyond these stigmas. Always try to show how security can support business goals and initiatives, not block them. Similarly, when requesting more budget, tie your request to current business initiatives and priorities and show how you can enable it. For this to be possible, security leaders must 'get out of there' at every opportunity and approach the organization as a whole – actively participating in business activities and doing everything possible to ensure the protection of the organization without undue delay. This is not really a 'hack' to get more budget. This is an operating model that will benefit the business...and make it easier to get a quote. Tip #3: Show How The Current Budget Is Being Spent Security is a technical discipline and is often poorly understood by budget decision makers. Therefore, it is difficult for them to know if the money already allocated by the organization for cyber security is being spent properly…and if it is appropriate to allocate more. The simple solution is to maintain a set of simple metrics that show how your security measures are protecting the organization from cyber attacks. There are many tips on how to do this. Beyond the explicit performance metrics, here are some things to consider: How security enables or supports important initiatives or goals A proven track record is always better than promises. Where security supports improvements in business-critical metrics (for example, selling more products online due to website uptime). Case evidence of specific incidents that were prevented, including the potential consequences of failing to prevent similar attacks in the future. On the one hand, having a basic understanding of how people think and what influences them can be invaluable.

  3. Tip #4: Explain Why An Extra Budget Is Needed This is one of the tips that seems obvious… but rarely does someone do it because they are too busy. It takes time to find a compelling argument, leave the business alone, and most security teams already have some of that value. Taking extra time to explain your request can be the difference between success and failure. To put it bluntly: "We need more budget" is not very convincing. "We need £100,000 over three years to improve the organization's ransomware resiliency by implementing a more secure network architecture" is more convincing, especially if you can explain why the proposed measures will make the organization more secure. Tip #5: Find Out What Organizations Like This One Spend On Cybersecurity Benchmarking is often given more quality than it deserves. It's one thing to know what your competitors or industry peers are doing, but if you don't know why... the information isn't useful. Regardless, executives and boards generally place a high value on benchmarking, especially if it's provided with other types of information, so it's a good idea to include it if it helps your business. As a (even) general rule of thumb, most organizations spend 10-15% of their total IT budget on cybersecurity. If your organization is spending less, presenting this information to your board or executive team can help you spend more. Obviously, the more specific benchmarking data you can find, the better. Finding budget data for a specific industry or geographic area isn't always easy, but if you can, you should definitely use it to your advantage. If you don't have financial data, look at statistics from your industry that show where organizations fall short in terms of maturity in key areas like Zero Trust. If your organization appears to be lagging behind in high-profile or high-risk areas, this could be an attractive investment case. It's A Game - Learn To Play It In the ideal world, budgets would be allocated to reflect the needs of each organization. Unfortunately, we do not live in that world. Decision makers do their best, but they may not be experts at everything. They are not cybersecurity experts; after all, it's a support job and usually not part of the core business. To successfully get more quotes, you need to help them understand why cybersecurity is so important to your organization and what happens if it's not properly funded. To do this, you need to learn how to play the game in your organization. This is often difficult for security professionals, as they come from a technical rather than management background. But if you take something from this article, leave it at that. As a security leader, perhaps the most valuable thing you can do for your organization is to increase your security profile. If you can do this consistently, it will be easier for you to get the budget you need and protect your organization from cyber threats.

More Related