Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Invest in Solutions: Not Problems

There is an old saying in the business world, that if you want to get ahead, don’t bring your boss problems, bring him or her solutions. The message being that you were hired based on your experience and your ability to get the job done, not to create more problems. The same can be said when it comes to investing in security solutions. When budget requests come before the C-suite for new technology, they want to be assured that a problem is being solved, not created, based on this investment.

There is an old saying in the business world, that if you want to get ahead, don’t bring your boss problems, bring him or her solutions. The message being that you were hired based on your experience and your ability to get the job done, not to create more problems. The same can be said when it comes to investing in security solutions. When budget requests come before the C-suite for new technology, they want to be assured that a problem is being solved, not created, based on this investment.

Many of you are probably reading that and saying, “Obviously.” But the reality is that adding new technology to the security mix can often have unintended consequences and end up either costing the company more money, making it less secure, or in some cases, both. When technologies don’t fit together seamlessly, problems can arise that distract from the primary goal of keeping the organizations’ most critical assets safe from attack. While cyber security is a complex industry, adding layers of complexity to your security operation instead of simplifying processes is a poor investment and a waste of critical resources.

Managing IT SecurityFor example, false positives can be a timely and costly problem in our industry. When technologies don’t properly align, the rates at which false positives are created far outpace the norm. This leaves security experts focusing more on qualifying problems that don’t even exist instead of dealing with real vulnerabilities, many of which could be critical to the organization’s security. This creates a scenario in which budget allocated to security to shore up potential areas of weakness ends up costing the company much more in terms of dollars and resources. The end result can be a less secure network.

So how do you eliminate this issue from the equation when making purchasing decisions? Here are a few suggestions to help the CISO make a case for budget allotment and focus on putting dollars to work as they are intended.

Identify the problem you intend to solve. – Be as specific as possible and carefully evaluate the impact of this technology on other systems you are currently running. Many organizations make the mistake of going too wide and hoping that by throwing more money and technology at a problem, it will go away. Always remember, hope is not a plan and is a poor substitute for proper research and planning.

Have a strategy and make it actionable. – I can’t even count how many times I’ve heard from customers in the field that investments in new technology were made and implemented and only then do they start to figure out what to do with it. New technology needs to be vetted and accounted for prior to implementation, so it helps to solve a problem from day one and doesn’t cause needless delays and distractions for the security team.

Always come to the table with a backup plan and a minimum threshold. – While I’m sure that the CIO or CEO would like to be in a position to grant you all the budget you need for new security investments, the reality of the situation is that you are competing against colleagues in other departments for a limited budget and the expectation of getting everything you need is simply not realistic.

Articulate the security discussions in business terms. – Not only does this help you make the case to your executives for budget, but it also allows you to prioritize investments in security technology. If the solution you want to implement doesn’t solve a problem that costs the business money, isn’t going to save the company a significant amount of budget, or isn’t mitigating a serious risk that could lead to legal or compliance issues down the road, perhaps you need to reevaluate the importance of that solution.

To help guide you in this discussion, I’ve included a portion of post I had written last fall for our company blog that articulates the best way to approach the CEO for budget and how to best align your needs with those of the business.

Advertisement. Scroll to continue reading.

1. Keep it short. I’ll call it my five priorities – a five-minute CEO conversation. What I mean by this is if you can’t articulate the key points the CEO needs to know about security into five bullets or less and explain them in simple-to-understand terms, you may want to restructure your conversation in order to make sure the message isn’t getting lost in the technical details.

2. Don’t get too technical. Don’t feel the need to include every statistic into your report on how many times your network has been probed, threatened, attacked and so forth. This only serves to create noise that is distracting.

IT Security Advice3. Keep the conversation about the business threat –not the technology. For example, if you are looking to make the case for a security upgrade or additional investment, avoid the discussion of threats, malware and botnets, etc. Focus instead on the probability of business loss and what the organization stands to lose if its intellectual property or other critical assets are compromised. These are the types of issues that the CEO, and by extension the board of directors, care about. They are charged with protecting the business and the financial value of the organization. If you can tie the security discussion to the business, you are going to more effectively convey the importance of what you need.

4. Make it a two-way street. The issue of security is an important one. If you need the CEO to pay closer attention and be more responsive to your requests, it’s also incumbent on you to do a better job of conveying the need and the link to the welfare of the business.

5. Be consistent. Whether it’s a weekly or monthly meeting, schedule time with the CEO to give that full update. Security won’t be viewed as a priority unless it is in front of him or her regularly so the CEO can grasp the landscape, appreciate any improvements, understand the issues and provide the resources or counsel when needed.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...