Budgeting for security products: What CISOs need to know
- By Rishi Bhargava
- Oct 19, 2017
Protecting agencies against cyber criminals can be a daunting task. The threats are constantly changing, the criminals are becoming more sophisticated and the attacks are growing ever more numerous. Many government chief information security officers have been left struggling to decide which security products represent the best use of their budgeted funds.
Increasingly, CISOs are expected to justify expenditures in terms of the return on the investment. CEOs, CFOs and most other C-suite executives want to see "hard numbers" that explain exactly what they are getting for their money. However, security does not lend itself to the metrics that are typically used to justify capital expenditures. Most of the benefits delivered by security products are intangible.
For example, if a CISO wants to spend $100,000 on a firewall, his justification may include information about the threat and the agency's vulnerability as well as case studies of organizations that paid dearly for ignoring risks and weaknesses. Unfortunately, this information may carry little weight with those who approve the expenditure; they often cannot convert the information into a business case and ROI dollar amount.
Budgeting can also be complicated by a CISO's lack of insight. CISOs need visibility into what each security product provides, including whether it is being used effectively and yielding the expected results. They also need easy access to information about the types of attacks that the agency has faced and is most likely to face in the future. For example, did hackers launch a persistent attack or was malware introduced when an employee fell victim to a phishing campaign?
The more knowledge the CISO has, the easier it will be to allocate funds correctly. Historically, most CISOs have focused on attack prevention, investing significantly less in detecting and responding to threats. Cyber criminals have repeatedly demonstrated that with persistence they can penetrate most preventive security, including firewalls, single-factor authentication and signature-based anti-malware solutions. Preventive security products certainly ensure that not every hacker can succeed, but a sophisticated criminal may still penetrate an agency’s defenses -- and it takes only one successful breach to potentially ruin an agency’s reputation and business.
One simple trick: The security scorecard
At its most basic, cybersecurity is about managing risks. The assets that require protection, the threats that place the assets at risk and the potential harm to the agency that a successful attack could cause are all terms most managers understand. Disaster recovery, business continuity and regulatory compliance are also concepts that C-level executives can grasp. CISOs have access to vast amounts of data that can be used to identify and assess risks, but how can they present this information -- much of which may appear incongruous to those not involved in cybersecurity -- in a way that will not be overwhelming or difficult to understand?
The answer is a security scorecard. CISOs need a platform that can give them visibility into all of the security products the agency employs. A security automation and orchestration platform can serve as a hub that connects all security products, allowing creation of a security scorecard for incident response functions. CISOs then can use the scorecard to make informed decisions about budget allocations for various security products. The scorecard also provides valuable, organized information that can be used to justify expenditures to those who issue the final approvals.
Scorecards can help CISOs frame information in ways that other executives can relate to business goals. After all, cybersecurity is not a freestanding discipline that has no connection to the rest of the agency. Digital risk management touches every department, from human resources to marketing, and cybersecurity products must contribute to helping the agency achieve its overall goals. CISOs can use scorecards to demonstrate how security products relate to business goals.
For example, if the agency's goal is to maintain its reputation for integrity, scorecards can help prove that a successful breach could damage the agency's reputation. If the goal is to make information easier for field personnel to access, scorecards can help show that without adequate security, the plan would not be viable. If the leading concern is confidentiality, easy access to information could undermine the CISO's efforts. The key is to determine what the agency cares about the most.
As the number of security products continues to increase, CISOs will face an ever-longer line of vendors offering new takes on cybersecurity. At the same time, CISOs increasingly will be held accountable for their purchases. They must employ every tactic they can to help justify their needed expenditures.
CISOs should not be too hasty to discard security products that are still useful and effective, but they must be willing to pursue advanced technologies that can help them keep their agencies secure against ever-evolving attacks. There is no universal way to allocate a security budget. Instead, each CISO must consider the threat surface, the adequacy of legacy products and the availability of innovative security solutions to decide how to serve the needs of the organization properly. Security scorecards provide a useful tool for CISOs who are still struggling to decide on the best way to allocate funds for various products.
Rishi Bhargava is the vice president and co-founder of Demisto.