There is an old saying in the business world, that if you want to get ahead, don’t bring your boss problems, bring him or her solutions. The message being that you were hired based on your experience and your ability to get the job done, not to create more problems. The same can be said when it comes to investing in security solutions. When budget requests come before the C-suite for new technology, they want to be assured that a problem is being solved, not created, based on this investment.
Many of you are probably reading that and saying, “Obviously.” But the reality is that adding new technology to the security mix can often have unintended consequences and end up either costing the company more money, making it less secure, or in some cases, both. When technologies don’t fit together seamlessly, problems can arise that distract from the primary goal of keeping the organizations’ most critical assets safe from attack. While cyber security is a complex industry, adding layers of complexity to your security operation instead of simplifying processes is a poor investment and a waste of critical resources.
For example, false positives can be a timely and costly problem in our industry. When technologies don’t properly align, the rates at which false positives are created far outpace the norm. This leaves security experts focusing more on qualifying problems that don’t even exist instead of dealing with real vulnerabilities, many of which could be critical to the organization’s security. This creates a scenario in which budget allocated to security to shore up potential areas of weakness ends up costing the company much more in terms of dollars and resources. The end result can be a less secure network.
So how do you eliminate this issue from the equation when making purchasing decisions? Here are a few suggestions to help the CISO make a case for budget allotment and focus on putting dollars to work as they are intended.
Identify the problem you intend to solve. – Be as specific as possible and carefully evaluate the impact of this technology on other systems you are currently running. Many organizations make the mistake of going too wide and hoping that by throwing more money and technology at a problem, it will go away. Always remember, hope is not a plan and is a poor substitute for proper research and planning.
Have a strategy and make it actionable. – I can’t even count how many times I’ve heard from customers in the field that investments in new technology were made and implemented and only then do they start to figure out what to do with it. New technology needs to be vetted and accounted for prior to implementation, so it helps to solve a problem from day one and doesn’t cause needless delays and distractions for the security team.
Always come to the table with a backup plan and a minimum threshold. – While I’m sure that the CIO or CEO would like to be in a position to grant you all the budget you need for new security investments, the reality of the situation is that you are competing against colleagues in other departments for a limited budget and the expectation of getting everything you need is simply not realistic.
Articulate the security discussions in business terms. – Not only does this help you make the case to your executives for budget, but it also allows you to prioritize investments in security technology. If the solution you want to implement doesn’t solve a problem that costs the business money, isn’t going to save the company a significant amount of budget, or isn’t mitigating a serious risk that could lead to legal or compliance issues down the road, perhaps you need to reevaluate the importance of that solution.
To help guide you in this discussion, I’ve included a portion of post I had written last fall for our company blog that articulates the best way to approach the CEO for budget and how to best align your needs with those of the business.
1. Keep it short. I’ll call it my five priorities – a five-minute CEO conversation. What I mean by this is if you can’t articulate the key points the CEO needs to know about security into five bullets or less and explain them in simple-to-understand terms, you may want to restructure your conversation in order to make sure the message isn’t getting lost in the technical details.
2. Don’t get too technical. Don’t feel the need to include every statistic into your report on how many times your network has been probed, threatened, attacked and so forth. This only serves to create noise that is distracting.
3. Keep the conversation about the business threat –not the technology. For example, if you are looking to make the case for a security upgrade or additional investment, avoid the discussion of threats, malware and botnets, etc. Focus instead on the probability of business loss and what the organization stands to lose if its intellectual property or other critical assets are compromised. These are the types of issues that the CEO, and by extension the board of directors, care about. They are charged with protecting the business and the financial value of the organization. If you can tie the security discussion to the business, you are going to more effectively convey the importance of what you need.
4. Make it a two-way street. The issue of security is an important one. If you need the CEO to pay closer attention and be more responsive to your requests, it’s also incumbent on you to do a better job of conveying the need and the link to the welfare of the business.
5. Be consistent. Whether it’s a weekly or monthly meeting, schedule time with the CEO to give that full update. Security won’t be viewed as a priority unless it is in front of him or her regularly so the CEO can grasp the landscape, appreciate any improvements, understand the issues and provide the resources or counsel when needed.