There is an old saying in the business world, that if you want to get ahead, don’t bring your boss problems, bring him or her solutions. The message being that you were hired based on your experience and your ability to get the job done, not to create more problems. The same can be said when it comes to investing in security solutions. When budget requests come before the C-suite for new technology, they want to be assured that a problem is being solved, not created, based on this investment.
Many of you are probably reading that and saying, “Obviously.” But the reality is that adding new technology to the security mix can often have unintended consequences and end up either costing the company more money, making it less secure, or in some cases, both. When technologies don’t fit together seamlessly, problems can arise that distract from the primary goal of keeping the organizations’ most critical assets safe from attack. While cyber security is a complex industry, adding layers of complexity to your security operation instead of simplifying processes is a poor investment and a waste of critical resources.
So how do you eliminate this issue from the equation when making purchasing decisions? Here are a few suggestions to help the CISO make a case for budget allotment and focus on putting dollars to work as they are intended.
Identify the problem you intend to solve. – Be as specific as possible and carefully evaluate the impact of this technology on other systems you are currently running. Many organizations make the mistake of going too wide and hoping that by throwing more money and technology at a problem, it will go away. Always remember, hope is not a plan and is a poor substitute for proper research and planning.
Have a strategy and make it actionable. – I can’t even count how many times I’ve heard from customers in the field that investments in new technology were made and implemented and only then do they start to figure out what to do with it. New technology needs to be vetted and accounted for prior to implementation, so it helps to solve a problem from day one and doesn’t cause needless delays and distractions for the security team.
Always come to the table with a backup plan and a minimum threshold. – While I’m sure that the CIO or CEO would like to be in a position to grant you all the budget you need for new security investments, the reality of the situation is that you are competing against colleagues in other departments for a limited budget and the expectation of getting everything you need is simply not realistic.
Articulate the security discussions in business terms. – Not only does this help you make the case to your executives for budget, but it also allows you to prioritize investments in security technology. If the solution you want to implement doesn’t solve a problem that costs the business money, isn’t going to save the company a significant amount of budget, or isn’t mitigating a serious risk that could lead to legal or compliance issues down the road, perhaps you need to reevaluate the importance of that solution.
To help guide you in this discussion, I’ve included a portion of post I had written last fall for our company blog that articulates the best way to approach the CEO for budget and how to best align your needs with those of the business.
1. Keep it short. I’ll call it my five priorities – a five-minute CEO conversation. What I mean by this is if you can’t articulate the key points the CEO needs to know about security into five bullets or less and explain them in simple-to-understand terms, you may want to restructure your conversation in order to make sure the message isn’t getting lost in the technical details.
2. Don’t get too technical. Don’t feel the need to include every statistic into your report on how many times your network has been probed, threatened, attacked and so forth. This only serves to create noise that is distracting.
4. Make it a two-way street. The issue of security is an important one. If you need the CEO to pay closer attention and be more responsive to your requests, it’s also incumbent on you to do a better job of conveying the need and the link to the welfare of the business.
5. Be consistent. Whether it’s a weekly or monthly meeting, schedule time with the CEO to give that full update. Security won’t be viewed as a priority unless it is in front of him or her regularly so the CEO can grasp the landscape, appreciate any improvements, understand the issues and provide the resources or counsel when needed.