How to Boost Executive Buy-In for Security Investments

How to Boost Executive Buy-In for Security Investments
Linking security budgets to breach-protection outcomes helps executives balance spending against risk and earns CISOs greater respect in the C-suite.

It's no secret that there is a tenuous relationship between most chief information security officers (CISOs) and their executive suite and board. The CISO is caught between a rock (cause) and a hard place (effect).


CISO-led enterprise security programs are intended to protect against security breaches. Executives have a duty to protect a business from unacceptable impacts, but they are rarely (if ever) presented with quantifiable and data-driven security strategies and action plans that link control of specific security breach outcomes — and associated impacts — with specific budgets. 


This exposes executives to external challengers — including investors, insurers, opposing legal counsel, regulators, and customers — regarding enterprise cyber-risk exposure. But these are not the only challengers. Internally, CISOs compete for limited funds against the rest of the business in an opportunity-cost war, and they are in battle with functions that deliver a much more obvious return on investment. 


Setting Cyber-Risk ExpectationsTo better handle these challenges, a security plan should set an expectation of the level of cyber-risk outcomes per given budget. This would not only set expectations for a given spend, but should a business cut or increase budget, the CISO can demonstrate the resulting change in cyber-risk exposure. 


The purpose of a security program is to have a degree of confidence in protection against security breaches. It is less that the executives believe that the business should be protected from breaches by advanced threats (like nation states); rather, they do not have credible information to know if less sophisticated threats, which are vastly more numerous, can breach and cause unacceptabl ..

Support the originator by clicking the read the rest link below.