How to Get Your Security Program Funded: A Guide for the CISO
Syncsort recently acquired the IBM i encryption and security products of Townsend Security. The article below is an update to their popular blog post on the importance of encryption in the financial services
A chief information security officer (CISO) can often have an difficult time attaining budget. They are constantly thinking about ways to improve their security programs, justifying current efforts, and securing the needed funds for next year. When it comes to increasing budget, CISOs need to trade their technology hat with a Sales or Marketing colleague.
What it boils down to is that a CISO is not a technology provider but a business solution provider. This can be a hard realization for them to make — especially after having spent the first part of their careers deeply immersed in the technology weeds. For the new CISO, and even seasoned veterans, it can be a challenge to market and sell your ideas to (and get funding from) various stakeholders within the company. It is imperative for the CISO to market and sell the security side of the house to the business at large to get what they need.
A CISO must talk business – avoid IT jargon
Not too long ago, the CISO’s job was to approach the C-suite and say something like, “Hey, we need encryption and key management. Give me the budget, and I will make it happen.” And back then, they would usually get the money. But today, it is more about building relationships and solving a business problem.
With the changing times, it is now important to be aware and knowledgeable of the technologies your stakeholders are hearing about. In turn, you can leverage their knowledge of current security events to bolster your security project. Many of the stories that in the past would have been exclusive to niche publications like CSO Online and Krebs on Security are now showing up in business news outlets such as Forbes, Businessweek, and the Wall Street Journal – places where your stakeholders go to get information.
When we look at what is being covered by the mainstream media today, it is often topics that security professionals have been dealing with for years, but was rarely in front of upper management. When security admins talk about data breaches, they talk about SQL injections or the best practice for data protection and how to manage a database – this is all IT jargon.
It is important to remember that the executive team doesn’t speak your language. When they talk about someone impersonating the CEO via email and exposing W2 information, they don’t know that this is called a “phishing attack.” Security professionals know this, but that isn’t what they call it in USA Today. You have to understand how to connect the dots for non-IT people.
How to market and sell your security program
You will have a chance from time to time to engage stakeholders for 30-seconds to 2 minutes. When you have those opportunities, you need to be ready to sell your program. Practice your pitch to have it come across very natural, sounding as you would normally speak.
Here are some general tips for selling your security program:
- Talk about the great things that you are doing and that you want to do more
- Make sure that they understand your successes
- Don’t talk about stuff that doesn’t matter – that is not how you get a budget
It is also important to have various elevator pitches, depending on who you are going to be talking with. For example, if you have 30 seconds with a CIO or director, the pitch is going to be different for each one, because they care about different things. Remember, when talking to a stakeholder, you need to discuss something that they also care about. The secret to success to sell your program is in the services of your group. Don’t just talk about building a security kingdom, but rather business solutions.
Often, when you think about selling, you think about selling to the CFO or even the board. It is less often thought about, but also necessary, that you sell to the security operations center (SOC) manager or other teams or lines of business within the organization. You may not be asking them for funding, but you need to get them on board first, so that when you go to whoever you need to make the big pitch to, they will have your back.
It is a much easier to sell when there is a choir of voices saying, “Yeah, this is what we think that we need. This is the solution that we want. We have already bought into the fact that this is what we need.” If you can get 3 or 4 other directors from different lines of business backing you, you will be much more successful at securing funds than if you were to say, “This is what I think is needed,” to which the board replies, “Well, what does the SOC manager think?”
If your funders need more convincing, compliance regulations can often help your cause. Regulations like PCI DSS and HIPAA (as well as others) are constantly evolving. These regulations are always going through review and update, with stronger language and more stringent security demands. PCI DSS, in particular, carries a big stick. Whether you love it or hate it, it can often get you the budget you need because your business must comply if they want to take credit cards.
External audit reports can also help propel your security program forward. When they come back negative, business risk has been identified – and business risk speaks very loudly to the C-suite. It is in their charter to acknowledge business risks and take appropriate actions.
One strike doesn’t mean you’re out
Unfortunately, there will be times that you are simply told, “No, there just isn’t budget for _______.” As a smart CISO in this situation, you want to be able to pivot to your backup pitch.
Remember, just because you didn’t hit that “grand slam” doesn’t mean a “single” or a “walk” is out of the question. Your “walk” should be the absolute bare minimum needed to move your cause forward, at least a little. Even the guy that gets walked is going to score from time to time. If you can take a “walk” and deliver something with it, you are going to further gain the trust of your funders and establish a positive track record for delivering on time and on a budget.
For a better understanding of the security projects currently being funded by other organizations, check out Syncsort’s latest report: Security Insights for 2019.
Assure Security from Syncsort enables your organization to comply with cybersecurity regulations and strengthen IBM i security by controlling access to systems and data, enforcing data privacy, monitoring for compliance, and assessing risks.