CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Management & Strategy

Things CEOs Hate To Pay For and How They Can Help You Make Your Case for Security

When Making the Case for a Security Budget, Don’t Just Provide Numbers and Statistics…

When Making the Case for a Security Budget, Don’t Just Provide Numbers and Statistics…

As a CEO, I hate spending money on things that don’t help grow my business or improve the products and services we bring to market. While I know there are necessary evils in business that require funding, the thought of spending money on things that are only used in a worst-case scenario are not attractive options to me when it comes to the allocation of limited and important resources. Having spent the majority of my career in the cyber security business, I am well aware that many of my CEO brethren lump security spending into the same bucket as other less desirable expenditures and believe me, I get it.

When the case is being made for budget, my management team expects that I’m going to ask some tough questions. What is the payoff? Where does the risk exist? How likely are we to be affected? What is the potential impact to our business? These are questions that need to be answered. Bottom line, I’m looking for them to prove their case as to why the risk or reward to the business warrants the expenditure.

IT Security BudgetsExecutives make purchasing decisions everyday based upon need over want, because they recognize that the failure to do so puts the company in an unacceptable position of risk. We don’t like it, but we understand it.

Here are five other things that we hate spending money on but are willing to do so in order to protect the business. Looking at the rationale for spending money in these areas can help you make the case to your own executive team why cyber security needs to be a priority in your company.

1. Insurance – in business and in your personal life, insurance is a check nobody ever wants to write. But we understand that protecting our critical assets against a catastrophic event is a necessity. Failure do so would be putting the company at risk of serious harm or even “going under” from a single event.

2. Legal Services – while I personally love our attorneys, life would be much simpler without the legal wrangling over contracts, leases and other complicated legal documents. But to try to do it alone would be crazy. Being protected under the law is a must for corporations, both private and public, and it’s well worth the expenditure to have these experts on your team.

3. Compliance – government regulations and compliance initiatives have been on the rise in recent years and show no signs of slowing down. Failure to comply can lead to fines and penalties that could be devastating to large corporations and catastrophic for small to mid-size businesses. Ensuring compliance is a top concern of all management teams, no matter how costly.

4. Data Storage – billions are spent each and every year on data storage solutions and yet I seem to get an alert on a weekly basis telling me that my email is over the size limit. The reason we hate spending money in this area is because we know that a large percentage of what is being stored does not contain critical data tied to the success of the business. However, we can’t take the chance that important data is not accessible so we make the additional investment.

Advertisement. Scroll to continue reading.

5. Disaster Recovery – again, worst-case scenario expenditure, but one that is absolutely necessary. With many businesses existing solely upon their information and intellectual property (IP), the the sudden catastrophic loss of its data center due to weather, or other form of disaster, could spell the end for many businesses. In today’s market full of information-based companies, the potential for systems and data to be unavailable is a non-starter.

Hopefully you noticed a common theme throughout these examples of things we don’t like to spend money on, but do anyway. In each case, the potential cost to the business of not making the investment far exceeds the actual spend. In other words, these are all critical services that are necessities and not choices. Cyber security is simialr and touches all of the examples above. Failure to protect your company’s critical data is not an option and can have wide-reaching implications beyond the walls of your own business. Depending upon the industry you are in, the compliance and legal issues that would result from a cyber-attack would put you at much more than further financial risk. A complete loss of data or IP could also put you quickly out of business.

When making the case for a security budget, this is the type of argument that will resonate with the CEO. Don’t throw numbers and statistics at them; lay out the business case and the importance cyber security plays in the protection of the brand. They probably still won’t like it, but they’ll be far more willing to buy into this rationale. For an executive not intimately involved with IT and security, it’s kind of like airbags in their car. They don’t want to ever think about them, but they’ll be glad they had them if they ever needed them.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem