Ask any cyber security specialist what their biggest challenge is, and you will get a variety of answers -- ranging from strengthening network security, to managing internal threats, to protecting against cyber espionage. But upon further investigation, you may be surprised to learn that for manythe biggest challenge is simply getting the funding necessary to carry out a security programme.
There are a great deal of resources and technical support available on how to deal with the never-ending list of threats that arise daily; and we have plenty of opportunities to learn and digest security best practices. However, little information or guidance is available to prepare one for the dreaded budget discussion when new or continued funding is necessary to maintain a strong cyber security posture.
Having established cyber security programmesin two government organisations, the U.S. National Park Service, and now at Los Angeles World Airports, I have experienced a full range of discussions with a variety of financial teams. In all cases, good communication was the critical ingredient for success and resulted in the necessary funding, over a period of years, to establish and maintain a workable security programme.
Most budget requests are accompanied by an ROI (return-on-investment) analysis. This is the language your financial team understands and with which they are most comfortable. A positive ROI is usually the difference between a positive and a negative decision on funding. However, cyber security budget requests are more difficult to quantify. Security ROI is typically expressed by comparing security investments with the potential liability caused by security breaches. This is similar to calculating the financial benefit of insurance for physical assets, such as buildings and equipment.
To start the budget discussion, you must stress cost avoidance rather than profits and you will need hard, empirical evidence to depict the business risks and associated costs. Interestingly, the specific nature of the threat, while critical to the security team, does not resonate with the financial staff. Their primary concern is the financial impact to the organisation. Therefore, the best way to approach senior management to fund your cybersecurity programme is to cast the expenditures using an ROI approach.
However, simply providing a well-defined ROI doesn't always guarantee success. There are a number of additional considerations when approaching senior management and your financial team when seeking funding.
1. Set the foundation for security funding before you need it; and once established, keep it strong.
If you haven't established a good working relationship with the financial decision-makers in your organisation, you are already behind the curve. It is far better to have that relationship in advance of a budget request. If the first time they see you, your hand is out looking for funding, your chances of success are drastically reduced.
2.Don't use scare tactics.
They may work at first, but eventually, if you are successful in keeping your organisation safe, this tactic may actually backfire. Your financial officer will only see that they provided funding and nothing happened.
3. Establish your cybersecurity credentials within your organisation.
It is important for both you and your security team members to acquire security credentials, such as the Certified Information Systems Security Professional (CISSP) and the Certified Information Security Manager (CISM). This gives your financial team confidence that you have the expertise to identify the risks and are able to plan and implement a security programme that meets the threats facing your organisation. Take advantage of the plethora of security seminars, webinars, and magazine articles that provide the most current information on threats and safeguards. And don't be afraid to share some of the non-technical materials you come across with senior management.
4. Relate your security risks to the business.
Identifying the technical aspects of malware threats, hacking, and Denial of Service (DoS) attacks will be almost incomprehensible to your senior management and financial decision-makers. Relating the threats to the impact on the business is far more meaningful. For example, if you rely on the Internet for sales and you have to shut down your Web portal, the specific cause is not a priority to senior management. The fact that you had to shut off your primary business conduit is the critical point.
Find your next job with computerworld UK jobs