How CISOs can justify cybersecurity purchases
Sometimes a disaster strikes: ransomware encrypts critical files, adversaries steal sensitive data, a business application is compromised with a backdoor… This is the stuff that CISOs’ nightmares are made of. As devastating as such incidents can be, for the short time after they occur, the enterprise usually empowers the CISO to implement security measures that he or she didn’t get funding for earlier.
Of course, waiting for disastrous events is a reckless and unproductive way to fund cybersecurity purchases. How can you make a proactive business case for justifying expenses that advance your security program? I have a few suggestions based on my prior consulting experience and my recent work as a CISO at a cybersecurity firm.
Security practitioners used to point to the need for defense-in-depth when explaining why the organization should fund yet another cybersecurity measure. Unfortunately, this principle alone doesn’t clarify how many layers are sufficient. Without business-relevant details and the right context, the people reviewing your request won’t understand its necessity and significance to the organization.
The request itself: What details to include?
You might know why the organization needs a given security measure, but how do you relay its significance to others? At the very least, your funding request should cover:
- Risk: How does the measure mitigate or otherwise address a meaningful risk? Explain the relationship between this risk and the organization’s business objectives. Clarify what might happen if you don’t address the risk and how likely this is to happen.
- Cost: How much will the security measure cost? Include upfront and ongoing expenses. Account for the fees you’ll pay to third parties (software as well as infrastructure) and internal costs related to people’s time. Discuss the costs of alternative ways of addressing the risk.
- Context: What role does your request play as part of the organization’s other initiatives and priorities? Also, discuss how other companies similar to yours handle such risks. Describe the way in which the risk fits into the current threat landscape that’s relevant to your organization.
The details above are essential, but they are not sufficient. The decision makers also need to understand that this is not merely a one-off request, but that it’s a part of a reasonable plan to strengthen the company’s security programs. This is where modern frameworks can help.
Your security program: A method to the madness
If you’re just starting a cybersecurity program, a good way to pick minimum security measures is CIS Critical Controls. This list and the accompanying guide provide practical consensus-based recommendations. If any of these controls are missing from your company, you can point to CIS Critical Controls to justify your request to fund the corresponding initiative. If you’re at a young tech company, consider as another reference the Security4Startups Controls Checklist, which was created by a group of experienced security professionals.
When requesting funding for security projects in organizations that require more sophistication than the lists above offer, take a close look at the NIST Cybersecurity Framework (CSF). It provides a comprehensive listing of security measures that enterprises should implement and has gained traction among government and commercial organizations in the US and world-wide.
Another reference to consider when deciding what security measures your enterprise needs is the Cybersecurity Defense Matrix, created by Sounil Yu. It offers a convenient way to understand the role that your various security tools play and helps identify portfolio gaps. This uses CSF categories to classify cybersecurity controls and reminds you to understand their capabilities with respect to your devices, applications, networks, data, and users. It’s handy for identifying areas that might have too many or too few security measures.
Additional justifications: Legal and privacy considerations
If you need additional ammunition to justify must-have cybersecurity measures, your company’s attorneys might help. Get their guidance regarding picking the baseline controls you must have to exercise due care and avoid negligence. Work with them to understand the relevant laws and regulations. Don’t forget to consider privacy obligations, such as CCPA and GDPR. Ask whether CIS Critical Controls or another framework provides a reasonable starting point.
Speaking of CCPA and GDPR… When explaining how your funding request is a part of a larger plan that benefits the organization, look at the NIST Privacy Framework. This methodology (and others like it) is especially relevant to organizations formalizing their privacy program. Though the scope of a privacy program goes beyond cybersecurity, there is a substantial overlap between the two worlds. You can strengthen the case for your security measure if it addresses cybersecurity as well as privacy risks.
The various frameworks above help you to explain how your security measure – and the associated funding request – fits into your broader plans for securing the organization. Discussing your request as part of the overarching plan explains how this request contributes toward the evolution of your cybersecurity program. It also prepares the organization for the subsequent requests that you will need to submit later.