Budgeting for security products: What CISOs need to know

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Rishi Bhargava
 

Connecting state and local government leaders

By Rishi Bhargava

|

Chief information security officers must consider the threat surface, the adequacy of legacy products and the availability of innovative security solutions to decide how secure their agencies.

Protecting agencies against cyber criminals can be a daunting task. The threats are constantly changing, the criminals are becoming more sophisticated and the attacks are growing ever more numerous. Many government chief information security officers have been left struggling to decide which security products represent the best use of their budgeted funds.

Increasingly, CISOs are expected to justify expenditures in terms of the return on the investment. CEOs, CFOs and most other C-suite executives want to see "hard numbers" that explain exactly what they are getting for their money. However, security does not lend itself to the metrics that are typically used to justify capital expenditures. Most of the benefits delivered by security products are intangible.

For example, if a CISO wants to spend $100,000 on a firewall, his justification may include information about the threat and the agency's vulnerability as well as case studies of organizations that paid dearly for ignoring risks and weaknesses. Unfortunately, this information may carry little weight with those who approve the expenditure; they often cannot convert the information into a business case and ROI dollar amount.

Budgeting can also be complicated by a CISO's lack of insight. CISOs need visibility into what each security product provides, including whether it is being used effectively and yielding the expected results. They also need easy access to information about the types of attacks that the agency has faced and is most likely to face in the future. For example, did hackers launch a persistent attack or was malware introduced when an employee fell victim to a phishing campaign? 

The more knowledge the CISO has, the easier it will be to allocate funds correctly. Historically, most CISOs have focused on attack prevention, investing significantly less in detecting and responding to threats. Cyber criminals have repeatedly demonstrated that with persistence they can penetrate most preventive security, including firewalls, single-factor authentication and signature-based anti-malware solutions. Preventive security products certainly ensure that not every hacker can succeed, but a sophisticated criminal may still penetrate an agency’s defenses -- and it takes only one successful breach to potentially ruin an agency’s reputation and business. 

One simple trick: The security scorecard

At its most basic, cybersecurity is about managing risks. The assets that require protection, the threats that place the assets at risk and the potential harm to the agency that a successful attack could cause are all terms most managers understand. Disaster recovery, business continuity and regulatory compliance are also concepts that C-level executives can grasp. CISOs have access to vast amounts of data that can be used to identify and assess risks, but how can they present this information -- much of which may appear incongruous to those not involved in cybersecurity -- in a way that will not be overwhelming or difficult to understand?

The answer is a security scorecard. CISOs need a platform that can give them visibility into all of the security products the agency employs. A security automation and orchestration platform can serve as a hub that connects all security products, allowing creation of a security scorecard for incident response functions. CISOs then can use the scorecard to make informed decisions about budget allocations for various security products. The scorecard also provides valuable, organized information that can be used to justify expenditures to those who issue the final approvals. 

Scorecards can help CISOs frame information in ways that other executives can relate to business goals. After all, cybersecurity is not a freestanding discipline that has no connection to the rest of the agency. Digital risk management touches every department, from human resources to marketing, and cybersecurity products must contribute to helping the agency achieve its overall goals. CISOs can use scorecards to demonstrate how security products relate to business goals.

For example, if the agency's goal is to maintain its reputation for integrity, scorecards can help prove that a successful breach could damage the agency's reputation. If the goal is to make information easier for field personnel to access, scorecards can help show that without adequate security, the plan would not be viable. If the leading concern is confidentiality, easy access to information could undermine the CISO's efforts. The key is to determine what the agency cares about the most.

Closing thoughts

As the number of security products continues to increase, CISOs will face an ever-longer line of vendors offering new takes on cybersecurity. At the same time, CISOs increasingly will be held accountable for their purchases. They must employ every tactic they can to help justify their needed expenditures.

CISOs should not be too hasty to discard security products that are still useful and effective, but they must be willing to pursue advanced technologies that can help them keep their agencies secure against ever-evolving attacks. There is no universal way to allocate a security budget. Instead, each CISO must consider the threat surface, the adequacy of legacy products and the availability of innovative security solutions to decide how to serve the needs of the organization properly. Security scorecards provide a useful tool for CISOs who are still struggling to decide on the best way to allocate funds for various products.

NEXT STORY: One-stop shopping for state services on its way

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.