Security Experts:

Defend Your Budget to Defend Your Company

IT Security Budgets

A key focus at the 2015 RSA Conference was the elevation of cyber security from the IT department to the board room.  By and large, we’re seeing leadership across enterprises around the globe take notice, as highly-visible attacks on the US government, Anthem, and others have raised questions like, “can this happen to us?” The advent and proliferation of the Chief Information Security Officer (CISO) spotlights the anxiety in the board room but also shows the cyber risk message has been received. For the IT Professional; however, access to the board room is just the beginning of a new journey.

IT practitioners must learn to think, and communicate, like a board member. One opportunity for security leaders and CISOs to showcase their executive skills comes in the form of defending their budgets.

To do so, it’s imperative for the CISO to first understand where the company’s dollars are being spent and identify potential areas of cost savings. At RSA, CISOs were polled about bloat in the IT security infrastructure, and more than 80% of the respondents stated that they had redundant software or hardware. Estimates of wasted money paying for maintenance and support varied but reached up to 28% of the overall budget. This is particularly true in cases where mergers have occurred. As such, the first step in preparing to defend budgets is taking an inventory of the firm’s security platforms. From there, a CISO can easily create a plan to rationalize the company’s infrastructure and the services for which they pay.

Next, CISOs should look for opportunities to cut costs and operationalize security. This means using the savings accrued by eliminating unnecessary redundancy to install, on premise or cloud platforms that pull together data and threat intelligence. These platforms enable security analysts to make fast and accurate decisions, and when integrated into workflow management or ticketing systems, limit the amount of unnecessary work a security professional is required to do. To be clear, this is not about cutting headcount. It’s about empowering the team in place with the support they need.

Finally, and perhaps most crucial, CISOs must begin to effectively prioritize various risks, weighing the potentially affected audience with the cost of remediation. In some cases, the platform installed to operationalize security can be helpful in prioritizing threats; it can avoid generating alert fatigue by implementing a system that helps analysts prioritize and deal with the increasing array of attacks. The prioritization and operationalization of individual risk is what will resonate with the board of directors. Translating “security concerns” into “business risks” and then proceeding according to the largest threat is the way any board would want to proceed.

As such, it is also how most boards would proceed when discussing and approving a budget. Today’s CISO, with his or her seat in the board room, can’t respond to the growing demand for cyber preparedness with constant requests for more headcount and more investment.  Instead, he or she must maximize staff productivity and then find cost-effective ways to bolster the team’s performance. Managed services should play a key role in augmenting staff performance. At minimum, these services strengthen perimeter defenses and limit the amount of potential malware getting through, and therefore, allow an internal team to be more focused on solving fewer challenges. Managed services that incorporate real-time threat intelligence, ensure security professionals have a better idea on what to be most focused.

If you’re a CISO, you no doubt have the security skills required to meet the demands of the role. Now, it’s time to showcase your executive skills by taking an inventory of systems, identifying opportunities for operationalization and improvement and being well positioned to defend the budget your team needs to protect the company.

Related Reading: CISOs Challenged in C-Suite

Related ReadingWhy CISOs Need a Security Manifesto

Related ReadingHow a CISO Can Be a Change Agent Within a Company

view counter
Bill Sweeney is the US financial services evangelist of BAE Systems Applied Intelligence and is entrusted with cultivating innovative technology solutions in cyber security, fraud prevention and regulatory compliance for buy- and sell-side professionals worldwide. For more than 20 years, Bill has leveraged emerging and state-of-the-art software and services to empower and transform investment operations as well as control risks. He has served as CIO and CTO for a number of marquee-name banks, hedge funds and Wall Street firms. Prior to joining BAE Systems Applied Intelligence, Bill served as chief information officer of compliance and legal technology for Citi. From 2008 to 2012, he was director of research technology for hedge fund Bridgewater Associates. In addition to serving in senior roles for several technology boutiques, Bill also was CTO of HSBC. He is a graduate of Manhattan College and earned his master’s degree in computer science from the University of Southern California.