Special Feature
Part of a ZDNet Special Feature: Tech Budgets 2022: A CXO's Guide

Cybersecurity spending is a battle: Here's how to win

Executives can be reluctant to free up budget to fund cybersecurity. Here's how to convince them that spending money on securing the business is the right thing to do.

Back to the office: The cybersecurity risks you need to think about

The Chief Information Security Officer (CISO) is in the unenviable position of keeping the data, assets and personnel of the whole organisation secure at a time when cybersecurity threats lurk around every corner.

Special Feature

Tech Budgets 2022: A CXO's Guide

In this special feature, ZDNet looks at how business leaders are spending their tech dollars, and offers valuable advice on optimizing your budget plans in the wake of the coronavirus pandemic.

Read More

Phishing attacks can provide malicious hackers with a relatively simple means of stealing usernames and passwords, software vulnerabilities left unchecked could provide backdoors into the whole network, while the spectre of devastating ransomware attacks, which could cost millions of dollars, looms large.

In addition to all this, businesses -- and their information security teams -- have had to adapt to the rise of remote working, which delivers business continuity for organisations and employees, but also provides cyber criminals with additional opportunities for network compromise.

SEE: The CIO's new challenge: Making the case for the next big thing

It's no wonder that most CISOs believe that there's a risk of their organisation facing a damaging cyberattack in the next 12 months, particularly when high-profile incidents like the Colonial Pipeline attack and the ransomware attack against the Irish healthcare service have demonstrated just how disruptive a cyberattack can be. 

Add the need for regulatory compliance with data protection laws and there's a lot for CISOs to consider -- and all of it requires budget and resources. In an ideal world, CISOs would have unfettered access to the resources and personnel required to keep the business secure. But boardrooms are not writing blank cheques for cybersecurity budgets.

So how can CISOs keep the business safe if boardrooms are reluctant to assign budgets to something they don't see value in -- especially if they coming back and asking for more?

After all, if a business hasn't been hit by a major cyber incident (that it knows of), the board might see little reason to invest in cybersecurity: they think everything is running smoothly, even though that might be far from the case. 

"Boards of directors are getting a bit fed up with the CISO coming to the annual budgeting conversations saying they need what they were given last year, plus x percent more, which typically has double digits in it," says Paul McKay, principal analyst at Forrester. 

"I think there's a bit of a fatigue within the board of directors -- who think 'we keep giving you more money for security, but you keep coming back the year after and telling us you need more and more'," McKay adds.

But ensuring there's enough budget available to secure the network and provide employees with the necessary tools and skills to stay safe is vital.

Attention seeking

It can be difficult to get the board's full attention, especially if cybersecurity is seen purely as an outgoing with little benefit to the bottom line. The best way to address this is to explain, in plain language, the potential threats out there. It could even be a good idea for a CISO to run an exercise to demonstrate the potential impact of a cyber incident.

This shouldn't be over-dramatised, but presenting the board with an exercise based around a real-life ransomware incident, for example, and explaining how a similar attack could affect the company could open a few eyes, showing what measures need to be taken. This could then lead to extra budget being released. 

Ransomware: An executive guide to one of the biggest menaces on the web

Everything you need to know about ransomware: how it started, why it's booming, how to protect against it, and what to do if your PC is infected.

Read More

"One of the best ways to get their attention is to conduct a very thoughtful ransomware exercise. Pick something very realistic and allow your executive team to walk through the decision-making process," says Theresa Payton, CEO of Fortalice Solutions and former chief information officer (CIO) at The White House. 

SEE: The cybersecurity jobs crisis is getting worse, and companies are making basic mistakes with hiring

In theory, the ransomware exercise will lead executives to ask questions about network security, cybersecurity tools and contingency plans. This can pave the way to teaching the board about these issues, and arguing for the finances required to ensure network security.  

"That will give you the opportunity to show your executives information in a real way that they can digest and make decisions upon. And you can show them 'here's where we have maturity, here's where we're lacking and we're going to need budgets so that we can bolster our defences'," says Payton. 

These conversations are also important because they can provide an avenue to helping boardrooms understand the issues around cybersecurity.  

Sometimes, cybersecurity professionals take certain attitudes for granted because they live and breathe the subject. But non-experts might not consider the tools and skills needed to help keep an enterprise secure, which is important to remember when talking about cybersecurity in boardrooms.

"I think the average board member is completely overwhelmed by the amount of jargon and terminology that it's incredibly difficult for somebody who's disconnected from these topics to make decisions," says Betsy Cooper, director of the Aspen Tech Policy Hub, which works to educate executives and decision makers on cybersecurity. 

Bosses might not see the issue with using a weak password or not having multi-factor authentication because, in their eyes, complex passwords or an alert to double check if it's really them logging in is a barrier to productivity. Understanding why executives might feel this way is key to getting the message across.

"One of the key things that we try to emphasize is not just you have to use simplified language, you have to avoid the jargon, but you also need to start with why it matters," says Cooper.

Spend responsibly

Once CISOs have the board's attention, they should back it up with a plan. They need a strategy for the security budget, and a clear idea of the tools, personnel and training it will purchase.

There's no point requesting a budget then just winging it: the board is more likely to issue the required funding if there's a set plan, a strategy they can see and get behind.

Some boards might even be impressed if the CISO is working under the budget they've set -- something that could lead to increased trust if requests for additional budget need to be made further down the line. 

"Good CISOs recognise that to maintain their credibility with their board, they need to be seen to be spending money in a responsible manner. I've seen examples of them handing back money they don't have good uses to spend on, and saying 'give this to someone else to invest somewhere else in the business'," says McKay. "That kind of responsible stewardship is actually really important".

Businesses ultimately want to make money, and good cybersecurity can help them achieve that goal. A company's reputation -- and bottom line -- could take a dive if it's hit by a major data breach, ransomware attack or any other form of cybersecurity incident.

It can be difficult to persuade boardrooms to free up budget for cybersecurity, but CISOs need to be able to show why investment is needed -- and that by providing this investment, value is added to the business. No CISO wants to see their company become the next victim of a major cyberattack, so it's vital to engage with the board to get this across and secure the necessary budget.