A CISO’s job can be one of the most stressful in cybersecurity. It can sometimes feel like an avalanche of responsibilities, all in the pursuit of keeping an organization safe.
The problem more often than not comes down to the issue of obtaining funding for new technology that can make the job easier. In reality, CISOs can't always obtain the executive buy-in necessary for receiving that funding. Their organization's security posture then suffers as a result.
To help CISOs who are in this position, we asked a group of experts to weigh in on the following question: What are some ways to achieve buy-in for cybersecurity projects?
Maurice Uenuma | LinkedIn
I think we have all learned by now that it's nearly impossible to accurately quantify Return on Investment (ROI) in any sort of security initiative. Security inherently is a process of dealing with the unknown. So, it's always tough. There are, of course, some ways to measure the financial impact of breaches – for example, the average cost of a breach to an enterprise or a financial impact per record stolen. That data is available, but ultimately, it comes down to each organization looking at its own place in the world and understanding what it can tolerate and what it cannot. This is risk management. Do you mitigate the risk, transfer it, share it, and so forth? That is going to drive a lot of the discussion.
An important part of risk management is understanding the identity and purpose of the organization as well as being able to speak to that. For instance, for banking and financial services, the integrity of financial transactions is critically important. For critical infrastructure owner/operators, the reliability of control systems to support life and limb is very important. In the automotive industry, safety is important. The ability to tie a security investment message back to that, recognizing that we can't perfectly quantify it, is an important skill.
Fareedah Shaheed | (@CyberFareedah) | LinkedIn
That's a billion-dollar question. We focus so much on the technology, but we don't realize that the people who need to fund or approve that technology don't necessarily understand what you're doing. Having someone who can speak about the technology and relate it to the information that a stakeholder needs to know is the most effective method for achieving that. We always say, "Communication is key" and "We're always communicating." But are we communicating effectively?
I definitely would invest in someone who's a trained professional and make sure that you're getting your pitch correct so that another person can understand what is being asked. Then, you can focus on developing a really great relationship with them so that they know that you can trust each other. When people like and respect each other, they're more likely to sit down and work towards a solution to a problem.
Gary Hibberd | (@AgenciGary) | LinkedIn
I think there are a number of ways to do this. It's taking it from the macro to the micro. I often tell people to first identify the business benefits of implementing cybersecurity. What is that return of effort and investment? Not just to the CISO but to everybody around the Board table. So, when you work within an organization, it's important for you to get to know the C-suite. Every person in that room will have a company agenda, a corporate agenda, but they'll also have a personal agenda. What are their pinpoints? What are the pinpoints for the head of Human Resources? Also, what is their experience with information security? He or she may have had a real issue with the previous person when information security programs were being implemented.
Therefore, the minute you start talking about information security, it may not be you or the topic that is putting them off. What you may actually be experiencing is something that may have triggered something in them from a previous unpleasant experience. So, you have to take time to get to know them, their professional as well as their personal goals. When we talk about getting the buy-in from the board, we often talk about where we can reduce costs or where we can make this a business differentiator. It might be best to speak on a personal level to get them on board. It might be to say to them, "If you have kids, this means that you're not going to get harassed on the weekends. When we have an outage, you're not going to have to jump on an emergency call to deal with that client issue because we've had a cyberattack." Just being able to speak on a personal level as well as a corporate level is something I think that is often missed. It's an opportunity missed.
Jessica Barker | (@drjessicabarker) | LinkedIn
This is certainly a challenging area. I know that lots of people struggle with this. I'm fortunate enough to work with many different Boards in organizations. What I find works is firstly to consider the language you use to talk at the Board level. It will be very different of course from how you talk at the technical level and also different from how you talk at a more general, workforce level. What you're focusing on at the Board level is what matters most to them, which is often money. You're talking about finances. You're talking about reputational impact. It's about helping Board members or senior executives understand the impact. I often see people who might have a more technical focus in cybersecurity wanting to talk about technical issues, but from a leadership perspective, they need to know about the impact. They're not so much interested in what the vulnerability does or anything like that. They're interested in how it could affect their organization.
I also find that telling stories works well with whatever audience you're communicating with. It's a case of picking the right stories. Many times, Board-level thinking is about peer organizations and how they compare to their peers. How do we benchmark? So, being able to draw on that and use anything that's in the public domain that has happened to similar organizations helps to bring it to life. Also, use incidents from within the organization and metrics around the topics of interest to the Board. People have a lot of metrics around the technical side, and it’s also acceptable that metrics aren't perfect when it comes to the human side. Some people are too quick to think that you can't put metrics on the human side of security because they won't be fully accurate. Well, no metric is fully accurate, but once you start with data, you can refine it, you can improve it, and it gives you something. You can then talk to leaders about that. They can then track that. So, if you're looking for more budget or if you're looking to show the impact of what you've been doing, metrics will speak volumes with that audience.
Tanya Janca | (@shehackspurple) | LinkedIn
I presented a talk this year called Security Metrics That Matter because I'm obsessed with gathering metrics and data. When I started my first application security program, I literally just took all of the results from our security incidents from the previous three months and noticed that 26% were caused by insecure software. But we had no application security program whatsoever. The developers had no support, no guidance, and no advice. I explained to them that I could use the remaining time left on my consulting contract to address the problem and it would actually cost less than what the incidents were costing us.
I didn't need to buy any tools because I picked a bunch of free tools that we started with. When they saw that all of the incidents could easily have prevented all of those incidents, the three executives I was explaining this to immediately gave me the approval to launch that project. There's all sorts of research out there about how the later you fix a bug, the more it costs. So if you realize during the design phase that there's a design flaw from a security perspective, you can fix it then versus fixing it afterwards. There's an exponential cost difference in fixing something in design rather than fixing it later.
Communication: The Key to Securing Buy-in
Security has often been treated as a cost-center in most organizations. Recent historical breaches have changed that perception, showing that the cost is often outweighed by the benefits of risk avoidance and post-breach remediation. However, that does not mean that the Board of directors is handing out satchels of money without any justification. What our experts demonstrate is that effective and meaningful communication is still the most valuable method towards achieving buy-in for security products. It’s more than just “speaking the language of the business” that matters. It is about having those conversations with more depth of personal and organizational insight.