When Making the Case for a Security Budget, Don’t Just Provide Numbers and Statistics...
As a CEO, I hate spending money on things that don’t help grow my business or improve the products and services we bring to market. While I know there are necessary evils in business that require funding, the thought of spending money on things that are only used in a worst-case scenario are not attractive options to me when it comes to the allocation of limited and important resources. Having spent the majority of my career in the cyber security business, I am well aware that many of my CEO brethren lump security spending into the same bucket as other less desirable expenditures and believe me, I get it.
When the case is being made for budget, my management team expects that I’m going to ask some tough questions. What is the payoff? Where does the risk exist? How likely are we to be affected? What is the potential impact to our business? These are questions that need to be answered. Bottom line, I’m looking for them to prove their case as to why the risk or reward to the business warrants the expenditure.
Executives make purchasing decisions everyday based upon need over want, because they recognize that the failure to do so puts the company in an unacceptable position of risk. We don’t like it, but we understand it.
Here are five other things that we hate spending money on but are willing to do so in order to protect the business. Looking at the rationale for spending money in these areas can help you make the case to your own executive team why cyber security needs to be a priority in your company.
1. Insurance – in business and in your personal life, insurance is a check nobody ever wants to write. But we understand that protecting our critical assets against a catastrophic event is a necessity. Failure do so would be putting the company at risk of serious harm or even “going under” from a single event.
2. Legal Services – while I personally love our attorneys, life would be much simpler without the legal wrangling over contracts, leases and other complicated legal documents. But to try to do it alone would be crazy. Being protected under the law is a must for corporations, both private and public, and it’s well worth the expenditure to have these experts on your team.
3. Compliance – government regulations and compliance initiatives have been on the rise in recent years and show no signs of slowing down. Failure to comply can lead to fines and penalties that could be devastating to large corporations and catastrophic for small to mid-size businesses. Ensuring compliance is a top concern of all management teams, no matter how costly.
4. Data Storage – billions are spent each and every year on data storage solutions and yet I seem to get an alert on a weekly basis telling me that my email is over the size limit. The reason we hate spending money in this area is because we know that a large percentage of what is being stored does not contain critical data tied to the success of the business. However, we can’t take the chance that important data is not accessible so we make the additional investment.
5. Disaster Recovery – again, worst-case scenario expenditure, but one that is absolutely necessary. With many businesses existing solely upon their information and intellectual property (IP), the the sudden catastrophic loss of its data center due to weather, or other form of disaster, could spell the end for many businesses. In today’s market full of information-based companies, the potential for systems and data to be unavailable is a non-starter.
Hopefully you noticed a common theme throughout these examples of things we don’t like to spend money on, but do anyway. In each case, the potential cost to the business of not making the investment far exceeds the actual spend. In other words, these are all critical services that are necessities and not choices. Cyber security is simialr and touches all of the examples above. Failure to protect your company’s critical data is not an option and can have wide-reaching implications beyond the walls of your own business. Depending upon the industry you are in, the compliance and legal issues that would result from a cyber-attack would put you at much more than further financial risk. A complete loss of data or IP could also put you quickly out of business.
When making the case for a security budget, this is the type of argument that will resonate with the CEO. Don’t throw numbers and statistics at them; lay out the business case and the importance cyber security plays in the protection of the brand. They probably still won’t like it, but they’ll be far more willing to buy into this rationale. For an executive not intimately involved with IT and security, it’s kind of like airbags in their car. They don’t want to ever think about them, but they’ll be glad they had them if they ever needed them.