Of all the headaches CISOs deal with daily (and we know there are many!), making a hard-fought case for an appropriate security budget is one they often have to contend with annually. While security and risk mitigation are certainly receiving more attention and priority these days, sufficient dollars for the tools and talent necessary to drive a modern security program are still hard to come by in many businesses.
According to a recent survey from Fortinet of more than 200 CISOs across industries, more than a third (36%) said they lack an adequate budget, which is causing significant impact. The same survey also found 40% of security leaders would prefer to shift resources from prevention to bolster detection and response.
So, what’s the disconnect in sending security’s message to the leaders with the checkbook? Maybe it’s because old strategies of explaining security investment are dated. Perhaps the time has come for a different approach to making the case for the budget to the board and executive management.
“Year after year, CISOs have been requesting funding for more projects, more products, and more staff by talking about defense in depth—the notion that we must deploy multiple security layers because a single one will eventually fail,” said Lenny Zeltser, CISO at Axonius. “Defense in depth is still a valuable concept, but it alone is insufficient for justifying expenses because it doesn’t help answer the question, ‘How much defense is enough?’”
The Tools to Help Secure a Proper Security Budget
What are some other valuable tools, metric and examples that CISOs can bring into the next budget meeting? While there is no one-size-fits-all approach, here are a few ideas.
The Cybersecurity Defense Matrix
“It offers a convenient way to begin organizing security tools and identify portfolio gaps. This matrix can help CISOs structure and explain their capabilities related to devices, applications, networks, data and users,” he said.
The Center for Internet Security’s Critical Controls
Another accessible tool for justifying security expenses is the Critical Controls list, said Zeltser.
“It provides consensus-based guidelines that specify minimum security measures. If a control is missing from the security program, a CISO can point to this reference to justify the request for people, processes, and technology,” he noted.
Dwell time is the amount of time that a vulnerability stays on a network and is calculating by adding Mean Time to Detect (MTTD) and Mean Time to Repair/Remediate (MTTR).
“A high dwell time is bad as it means that the vulnerability has been on the network for a considerable period of time,” said Tom DeSot, executive vice president and CIO at Digital Defense. “Using dwell time, the CISO can illustrate how deeper investments in security technologies and services can reduce the time a vulnerability exists on a network and thereby increases the security of the organization.”
Cross-Vertical and Analyst Reports
Even within a vertical, each organization’s security needs can differ drastically. But some comparison now and again never hurts. Cross-vertical reports quickly illustrate what other organizations within the company’s vertical are doing to address issues that arise from vulnerabilities on a network or host, DeSot said.
“As an example, it may outline the process that most organizations in a given vertical are using to comply with a regulation or how they are dealing with issues such as ransomware when it appears on their network,” he said. “This helps the CISO quickly illustrate tools, services and processes that may need to be budgeted for so that the organization can stay ‘on par’ with similar organizations with the vertical which the company operates in.”
Additionally, relying on information from analyst reports about industry tools and best practices is another way to bring relevant information to make your case for investment.
“Instead of using a ‘shotgun’ approach and hoping to hit the right partner, these reports can be utilized to zero in on those products and services that are trending in the marketplace that will provide the most value to the organization,” he noted.
Percentage of Budget and Number of Events Detected
In a CSOonline blog post about making the case for security budget, Greg Kushto, director of security and enterprise networking at Force 3, suggested starting with the percent of your total IT budget spent on security.
“Illustrating how much (or how little) the IT team has to work with in terms of security will help put that work in context,” he said. “It can sometimes be difficult for non-technical audiences to understand that security only makes up a portion of the total technology budget. They may conflate IT with cybersecurity, assuming the response team has far more resources than they actually do.”
Also, bring with you the number of events detected, Kushto said, and divide it by the security budget for that period.
“By providing an estimated cost for detecting singular events, CSOs can own a measure of efficiency, demonstrating the correlation between security spend and overall cost of detection,” he noted. “This type of measurement presents a great way for CSOs to demonstrate economy of scale, which is crucial during budget talks with your leadership.”