Cybersecurity leaders are preparing for a rude budget awakening in 2023. The problem is multi-faceted. First, cyber-attacks are continuing to disrupt services and infrastructure with increasing velocity and impact. Secondly, the world is facing more economic uncertainty. Looming geopolitical tensions are now affecting physical and financial supply chains. Gone are the days of receiving a blank check for your cybersecurity program. Today, your team’s needs are treated more like operating expenses that need to be justified rather than necessary long-term capitalized improvements.
As the year progresses, planning for an unexpected reduction and reprioritization of human and financial resources is prudent. Regardless of monetary challenges, cybersecurity leaders must remain unflappable in their mission to protect the enterprise. But you still need the money for critical security investments! So, what can you do? Fortunately, the buck stops here and now. This blog shares ten cybersecurity budget questions you need answered to cut your budget, not your security.
1. Have you performed an assessment?
Cybersecurity assessments provide a standard way to align your cybersecurity team to your critical gaps. Industry-recognized frameworks like NIST CSF can help you identify any areas of your cybersecurity program that need attention. These frameworks are trusted, respected, and can reduce complexity. Risk management platforms offer a selection of various assessment frameworks designed to help you track, communicate, and measure your progress.
2. Have you quantified your priority cyber scenarios in monetary terms?
Beyond thinking about defense, cybersecurity budgets require a proactive approach to align cybersecurity posture with the overall business strategy. Thinking about how cybersecurity scenarios impact the business financially can help take the uncertainty of budget prioritization. Additionally, speaking in dollars and cents can help you dispose of vague traffic light reporting that often leads to debate and budget delays. Cyber risk quantification highlights the cost of making security improvements versus the potential loss of not doing so.
3. Have you identified and considered the outside expectations placed on your team?
Many CISOs now have very close alignment to the C-suite, so it’s become easier to have documented and clearly defined expectations that resonate with business risk, not just technical requirements, and business unit KPIs. However, don’t forget that your security team may also have certain obligations from other business units you are not aware of. It’s crucial to know what is expected from your team out of your purview and how it aligns with your own cybersecurity program goals.
4. Is there an alignment of current expectations with human and technical capital?
When developing an optimal cybersecurity program, your budget is only part of the problem. Considering how financial resources align with your team’s human and technological capabilities is creates operational synergies. Achieving new security capabilities often require a great deal of onboarding and human expertise. Have you assessed your team’s capabilities and adjusted accordingly? This often means having more detailed profiles of every single person on your security team.
5. Can you build out flexible reporting for your budget gatekeepers?
Every minute counts as a CISO, and you need proof of value at your disposal at any moment. You need a standardized way to report your progress over time to validate the impact of your decisions, not an all-nighter manipulating custom PowerPoints. Reporting over time needs to be simple and flexible enough to show how your program’s cyber maturity has evolved and how it stacks up to external peers. Otherwise, budget demands often turn into budget debates.
6. Have you considered your minimal necessary protection?
You can’t defend everything. This goes down to the notion of understanding the concepts of both susceptibility and impact. Some cyber-attacks are much harder to execute for malicious actors. And certain successful attacks won’t have a meaningful financial impact on the organization. Therefore, you must use your quantified cyber scenarios from above to truly understand your organization’s crown jewels to protect them first and foremost.
7. Are your team members properly matched with their competencies?
Human skills matter the most in cybersecurity. Return of human capital often begins by making sure your team’s skillset is appropriately matched with the right job responsibilities. Poorly matched team members will result in huge cost overruns regardless of the spending cycle because the organization is not extracting the maximum value from the cybersecurity team. As we mentioned earlier, consider maintaining profiles of team members with detailed information on their skill sets and their bodies of technical knowledge.
8. Have you analyzed which platforms and tools are redundant?
Having your tech stack inventoried is ideal but not always possible, given the size and scope of an organization. If you are a CISO of a smaller business, it may be possible to identify redundant technologies. However, at larger organizations, a useful shortcut may be to select your top five most expensive tools and your top five most “complex” tools (surveyed by your team) to see if they are truly necessary to protect the enterprise. Oftentimes, these exercises result in identifying at least one redundant technology that can be removed without breaking interdependencies, resulting in significant human or financial resources.
9. Do you understand the risks you and your business can accept?
Risk management is an unavoidable part of the job for any CISO. As part of building out a cybersecurity program, risk acceptance often boils down to understanding you can’t prevent all cyber-attacks. Fortunately, controls such as cyber insurance can work in combination with your technology and process improvements to minimize a loss if an attacker is successful. You need to understand how much loss your organization can withstand and if you have any gaps in your insurance policies that will leave you overexposed.
10. Are your cyber risk numbers defendable?
When asking for your dream cybersecurity budget, you must ensure your numbers are defendable. This boils down to using a transparent method to justify which risks are worth protecting. There’s no better way to get the budget you need than by clearly aligning the control improvements to risk reduction in dollars and cents. As mentioned earlier, you can accomplish this with cyber risk quantification—with an important caveat. The cyber risk quantification methodology you choose needs to be transparent, use simple arithmetic, and be built with proven statistical methods to determine a range of impacts.
We hope these ten questions have provided sustaining food for thought in achieving your cybersecurity budget. Now more than ever, one must cut budget without sacrificing security. If you are interested in discussing any of these above questions, we’d be happy to showcase Axio360, our risk management platform designed to provide trustworthy answers to ensure you look your best as a cybersecurity leader—in financial and technical terms.