Despite frequent news headlines describing large-scale data breaches around the globe, chief information security officers (CISOs) still struggle to justify security investments to top leadership. According to Gartner, security spending makes up only about 5.6 percent of overall IT funds.
Whatever security budget is ultimately approved by enterprise leadership, it’s up to CISOs to optimize the allocation of that money. More funds might help, but only if they know how to spend it effectively — and that planning starts before the first pitch. Let’s take a closer look at four key steps security leaders can take to maximize their return on security investment.
1. Assess Risks, Assets and Resources
A CISO should first thoroughly evaluate the systems, data and other business assets that are both valuable and potentially at risk in the organization. Today, this makes up an ever-evolving network, and priorities will shift over time to reflect changes in the business and the threat landscape.
“You should first identify and document the assets you need to protect most,” said Jo-Ann Smith, director of technology risk management and data privacy at Absolute. “What’s important to your business, and what are the main threats to your systems and data?”
That evaluation needs to take place before you even set foot in the executive office or boardroom to advocate for security. Its findings will be foundational to the security program’s goals and budget recommendations. Technologies purchased and the needs they serve will be unique to each business.
In other words, the results of the initial review could mean many different things for different CISOs. The general models provided by industry frameworks can help security leaders shape priorities and identify gaps specific to their businesses.
Kip Boyle, CEO of Cyber Risk Opportunities, noted that the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is the best method to assess cyber risk.
“We find that most companies are underinvested in such key mitigations as indemnity contractual provisions with suppliers and customers, antiphishing training, cyber insurance coverage and crisis management planning,” he said. “Yet these are all crucial to mitigating modern cyberthreats.”
2. Align the Security Budget With Business Goals
When demonstrating the return on security investment to executives and board directors, security leaders must speak the language of money. How does security serve the business?
“CISOs should always align with the business when evaluating how to spend,” said Larry Friedman, CISO at Carbonite. “Security spend should be calculated based on the risk associated with assuring continuity with important business processes.”
This goes beyond protecting data and maintaining regulatory compliance. Seeking opportunities to use security funding not just for risk mitigation, but also to boost revenue and accomplish other business wins such as enhanced productivity, helps the CISO position security as a dynamic business enabler rather than a static cost center.
The CISO should implement automated security intelligence and analytics tools to reduce the security team’s busywork and help it focus on more strategic projects. As you analyze opportunities for investment, consider not only how much they cost, but also how much they could save the company or add in value.
3. Hire and Train Good People
The oft-lamented cybersecurity skills gap shows few signs of closing. A recent report from the International Information System Security Certification Consortium (ISC2) placed the worldwide cybersecurity skills gap at almost 3 million unfilled positions, and about two-thirds of businesses believe they have inadequately staffed security teams.
It stands to reason that one of the best investments in a security program is an effective staff. However, in a tight market for employers seeking talent, organizations may have to look inward and invest in training employees who otherwise might not have considered a security career.
By training people that are already part of the organization and recruiting them to work in security, CISOs can offer opportunities for professional growth and build their security teams while taking advantage of the employees’ institutional knowledge.
4. Invest in Security Culture
An effective cybersecurity strategy must include a corporate culture in which every employee values security. But the “2018 Cybersecurity Culture Report” from the Information Systems Audit and Control Association (ISACA) and Capability Maturity Model Integration (CMMI) Institute found that most organizations still struggle with establishing a security culture. In addition, 95 percent of survey respondents noted a gap between their current and desired organizational culture of cybersecurity.
What does it mean to build security culture into business? It’s means getting all employees — from the security team to the executive suite — to feel invested in the company’s security and risk posture and to engage in secure behavior. Investments in security culture could include initiatives such as awareness training, a secure development life cycle program, and rewards for employees who demonstrate compliance and report incidents.
Some numbers bear out the benefit: According to the ISACA/CMMI study, organizations that reported an inadequate security culture are spending 19 percent of their annual cybersecurity budget on training and awareness. Firms that report stronger cultures spent a share more than twice as large on average (43 percent).
In an ISACA blog post about the study results, Heather Wilde, chief technology officer (CTO) at ROCeteer, noted that the benefits of security culture investment go beyond security. A majority of respondents (66 percent) said their organization experienced a reduction in cyber incidents, but Wilde noted that many other benefits were customer-facing: improved trust, stronger reputation and increased revenue, to name a few.
There is no simple answer to the question of how best to allocate security budget dollars, and the optimal course will vary widely from business to business. But a thorough assessment of a company’s current security posture and culture, along with an evaluation of how security can benefit business goals and enable the company mission, gives the CISO a road map for prioritizing investments.