For security officers, justifying a cybersecurity budget to key decision makers can come with some challenges. With the number of new cyber risks growing every year, companies have to spend money on areas of data and cybersecurity where they may not have been in the past.
In typical budgeting fashion, most organizations make budget decisions based primarily on the previous year’s spending, resulting in a pretty consistent amount for a security budget. This usually includes the same processes, policies, technology and employees year after year.
Now, enter cyber risks and planning for tighter cybersecurity.
In the past, the lack of a clear understanding of how cybersecurity incidents impacted the business caused consistent under-funding. As budget needs increased, CISOs needed new ways to make their leadership teams understand the increase in these budgetary needs.
Traditional methods used by CISOs to justify their security budgets
Traditionally, one of two ways was used to justify security budgets:
- Fear tactics: Many CISOs claim that the most effective way to get their leadership teams to approve their budget requests is by scaring them into realizing the risks. However, after using this approach year after year, the effectiveness was lost.
- Benchmarking: Some CISOs use industry benchmarks (e.g.: security budget as % of the IT budget) as a measure for their own spending. Although this was extremely informative and helped set a reference point, the numbers didn’t reflect the unique needs of their organization.
New tactics to justify your cybersecurity budget
It’s time to put old tactics aside and get your leadership onboard with the increased need for a robust cybersecurity budget. Instead of building fear and just relying on past data or benchmarks, think to the future and really help to justify the importance by focusing on these three areas:
- Build your business case: The most efficient way to get buy-in from leadership is to focus on how security can improve the business, not the other way around. Many in leadership see security spend the same as buying an insurance policy and therefore there is going to be a limit to how excited they are going to get about it. CISOs need to work harder at connecting the dots between security and the positive ways it impacts the business.
- Outline compliance requirements: Using compliance requirements is an effective way to get cybersecurity projects funded. There are many different laws and regulations that require companies to meet certain standards each year. HIPAA in the healthcare industry and PCI DSS in the retail industry are two examples. There are dozens more depending the industry and your type of business. Since most executives understand they must approve these initiatives, it’s an easy win in terms of showing the value of an organization’s security budget.
- Demonstrate ROI: The most effective way to get a cybersecurity budget approved is to provide the leadership team with quantitative ROI from your cybersecurity programs and projects. Leadership teams are more likely to respond favorably to budget requests when costs can be justified with clear numbers and stats. Make sure the numbers are clear and easy to understand.
What other challenges have you’ve faced in justifying a security budget? Do you feel like it gets easier or more difficult each year to increase your department’s budget? Share your thoughts and experiences below!