web analytics

How CISOs can forge the best relationships for cybersecurity investment – Source: www.csoonline.com

how-cisos-can-forge-the-best-relationships-for-cybersecurity-investment-–-source:-wwwcsoonline.com
Rate this post

Source: www.csoonline.com – Author:

Securing a cybersecurity investment isn’t just about crunching numbers — it’s about fostering cross-functional relationships. For CISOs, engaging key stakeholders will help build support to secure critical funding.

When it comes to securing cybersecurity investments there are many things at play. The key often lies in the CISO’s ability to build relationships with key stakeholders across the organization. However, CISOs are being tasked with protecting their organizations while navigating budget constraints.

Although nearly two-thirds of CISOs report budget increases, funding is only up 8% on average this year. That’s much less than previous year’s growth, according to the IANS 2024 Security Budget Benchmark Summary report.

With budgets constrained, a CISO’s ability to secure sufficient funding depends on their influence and reputation within the organization. Fostering strong relationships with key business leaders is critical to securing their budget goals.

From developers to the CFO: How to build trust

Erica Antos, CISO at TriNetX, places a premium on building strong cross-functional partnerships that not only advance security initiatives but also align with the business’s overall objectives. She identifies adjacent business functions as important partners for collaboration and alignment.

In her case, this involves understanding the priorities of the CFO, collaborating with legal to ensure data protection requirements are met, and working closely with IT and engineering to align security tools with broader organizational needs. “You want to understand what their goals are and identify some of the tools that security also uses that can help achieve both goals,” Antos says.

For example, a zero-trust solution will also help IT modernize network access and remove the need for a VPN. Privacy requirements can involve the general counsel and security through data protection. For this she advises talking with legal about what their needs are and if there are any tools that security can help with to achieve their objectives.

In other cases, it might involve engineering and working with developers and engaging with the CTO on things like code reviews or security alerts. “You can take a solution that security might use as a security event information management system that can also have a deployment that helps engineering teams,” she tells CSO.

Naturally, building a good relationship with finance is crucial. This involves understanding their objectives and showing how security initiatives can help achieve those goals or provide cost savings.

“It might not be aligning with finance to deploy some sort of a tool or get budget for something but showing efficiencies or how deploying certain tools can save X dollars,” Antos says.

Impact of CISO’s reporting line on budget and relationships

The CISO’s proximity to certain stakeholders, based on their reporting line, can also affect their ability to align with key business leaders. Whether a CISO reports to the CFO, CIO, or directly to the CEO can influence how they prioritize and communicate security needs, and ultimately, how quickly they can gain buy-in for additional funding.

“It can guide daily interactions that build the relationship, help them understand the needs of the group they’re a part of and be able to align more quickly,” says Antos.

Antos believes it helps if it forces the CISO to understand the business side of how the organization works. “That’s thinking about efficiencies with a business hat as opposed to thinking with a purely technical hat,” she says.

In turn, applying a business mindset helps CISO achieve budget goals and greater satisfaction when day-to-day security operations are in sync with the strategic goals and priorities of leadership including the board. CISOs that lead security programs viewed in the context of business risk are more likely to be satisfied with their budget when this alignment is in place, according to the IANS report.

However, in practice, CISOs can find themselves facing a critical paradox, according to Richard Watson, global and APAC cybersecurity consulting leader at EY. On one hand, the board can express a low appetite for cyber risk, but on the other hand, management might be saying there’s a need to cut a certain percentage from the budget. “These are almost irreconcilable positions, yet I see a number CISOs struggling with this paradox,” Watson says.

While the CFO is a key stakeholder due to their budget management role, in these kinds of situations, Watson says it’s important for CISOs to highlight these contradictory objectives and look to natural allies to help build support for their budget.

He suggests that CISOs can spend time with the chair of the audit risk committee and explain the paradox because it’s not always visible to the board if management don’t declare they’re operating in a way that is constraining budgets. “If surfaced with the chair of the audit risk committee, it can help the CISO justify further budget increases, or why just staying flat and not cutting funds is a requirement,” he tells CSO.

Maintain a visible profile within the broader organization

CISOs satisfied with their budget typically have visibility and credibility with leadership, engage in risk management discussions, and present program metrics to the board, the IANS report noted. It suggests that CISOs must maintain a visible profile and engage within the broader organization and frame the conversation around business risk more than technical controls.

Watson agrees that to successfully navigate influential, funding-related relationships, CISOs need visibility beyond the cyber and IT functions within the larger organization. “They may have started from technical beginnings, but to branch out beyond the IT department they need to be counted as a business partner and business advisor,” says Watson.

As Chris Peake, CISO at Smartsheet, points out, it’s not just about the CISO’s visibility — it’s about helping the organization understand the scope of cybersecurity threats it faces. The goal is to provide the context for making decisions around priorities and therefore funding and budget.

“If security is going to be a business enabler, it’s visibility not just of the CISO and the security program; the threat landscape needs to be clear to everyone,” Peake says.

The CISO’s role is communicating this information broadly across the organization, including to the C-suite and board, and to align it with the overall business goals. “The rest of the business needs to understand what they’re up against and this helps them have the context for making decisions about what’s going to be prioritized,” Peake says.

While it’s not always been a natural fit for CISOs to be fluent in finance, that’s changing as more conversations consider the financial aspects of the business. “Most of my peers are talking about budget and how we finance and think about bringing new technologies into the organization,” he says.

New technologies like generative AI, which open new threat vectors, are also triggering some budget conversations because they require investment to manage and secure. “They may require resources and that requires new perspectives in terms of how we deploy our existing tools,” he says.

Nonetheless, there will be situations that hinder budget decisions where CISOs face challenges in getting certain projects prioritized.

Not having a relationship with a key stakeholder, or even having a contentious relationship can create barriers that otherwise wouldn’t be there, Antos says. “It can lead misunderstandings about what the security team is trying to do or lead to incorrect assumptions, misinterpretations or poor communications,” she says.

These can hinder budget allocation and lead to the solution or initiative falling off the priority list. It reinforces the importance of a shared understanding of the project’s importance. This requires constructive relationships and aligning priorities.

“A lot of the time, what security does is implemented by other teams, like engineering, developers or IT, and so whatever it is you’re looking to implement, you’ll need to get it prioritized into their work queue,” she says.

Financial literacy underpins relationships that impact funding

With organizations facing financial headwinds, it puts more pressure on CISOs to justify their budget to stakeholders including the CFO, CEO, and the board, according to Watson. “In addition, new requirements for SEC disclosures are driving a big focus on cyber risk quantification because materiality has become really important,” he says.

To convincingly answer these challenges, CISOs need to tie cyber risk to budget and it’s why cyber risk quantification tools are becoming more important for them to build a robust business case.

“How do you prove if something is material or not? You need to have a mathematical formula to do that. It’s the art and science cyber risk quantification is now gathering a lot of momentum in organizations,” he says.

For smaller organizations and those that don’t engage consulting firms, Antos suggests they utilize ISACA or IANS tools and resources to build out their risk analysis and budgeting processes. “These tools provide guidance and materials to help security teams develop the necessary financial literacy and budgeting processes internally,” she says.

ISACA’s Capability Maturity Model Integration (CMMI) framework helps with cost control and risk-based budgeting strategies. Organizations using the framework showed a 47% reduction in cost variance, according to the 2023 CMMI Technical Report.

For Antos, degrees in information systems and accounting have helped to bridge the technical and financial aspects of the CISO role. She emphasizes that understanding the language of finance and communicating the business value of security investments can significantly strengthen a CISO’s position when negotiating budgets.

For CISOs, financial literacy is no longer optional — it’s essential for engaging stakeholders and building the business case for security investments.

Understanding the budgeting process and communicating security’s business value allows CISOs to bridge the gap between technical requirements and organizational priorities, ensuring they get the resources they need.

On a practical level, having conversations about the needs of security, especially when it comes to big projects, needs to start early on and explain how it will impact the business.

“Having all of that beforehand is a lot easier than trying to do it during the budgeting process,” she says.

SUBSCRIBE TO OUR NEWSLETTER

From our editors straight to your inbox

Get started by entering your email address below.

Original Post url: https://www.csoonline.com/article/3625745/how-cisos-can-forge-the-best-relationships-for-cybersecurity-investment.html

Category & Tags: CSO and CISO, IT Leadership – CSO and CISO, IT Leadership

Views: 2

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

CISO2CISO Notepad Series
How Can We Structure Cybersecurity Teams To Better Integrate Security In Agile At Scale?
How Can We Structure Cybersecurity...
OCCUPYTHEWEB
Linux Basics for Hackers by Occupytheweb
Linux Basics for Hackers by...
NIST
Digital Forensics and Incident Response (DFIR) Framework for Operational Technology (OT) by NIST – Eran Salfati and Michael Pease
Digital Forensics and Incident Response...
Think Big Blog
Top 10 TED Talks to Learn about Cyber Security
Top 10 TED Talks to...
NCSC
NCSC Cyber Security for Small Business “SMEs” Guide.
NCSC Cyber Security for Small...
Practical DevSecOps
API Security Fundamentals – Your Handy Guide to Building an Unhackable System by practical-devsecops.com
API Security Fundamentals – Your...
Vendict
The 2024 CISO Burnout Report by Vendict
The 2024 CISO Burnout Report...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...

LASTEST PUBLISHED POSTS

Cyberint
Retail Threat Landscape Report Q1-Q3 – November 2024 Summary by Cyberint a Check Point Company
Retail Threat Landscape Report Q1-Q3...
NCSC
Protecting Critical Supply Chains – A Guide to Securing your Supply Chain Ecosystem
Protecting Critical Supply Chains –...
Culture AI
Time to Adapt – The State of Human Risk Management in 2024 by Culture AI.
Time to Adapt – The...
National Cyber Security Centre
Engaging with Boards to improve the management of cyber security risk.
Engaging with Boards to improve...
Microsoft Security
2024 State of Multicloud Security Report by Microsoft Security
2024 State of Multicloud Security...
bugcrowd
Inside the Mind of a CISO 2024 The Evolving Roles of Security Leaders 2024 by bugcrowd
Inside the Mind of a...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Lacework
CISO’s Playbookto Cloud Security by Lacework
CISO’s Playbookto Cloud Security by...
MITRE - Carson Zimmerman
Ten Strategies of a World-Class Cybersecurity Operations Center by MITRE
Ten Strategies of a World-Class...
SILVERFRONT - AIG
Identity Has Become the Prime Target of Threat Actors by Silverfort AIG.
Identity Has Become the Prime...
CYZEA.IO
Enterprise Information Security
Enterprise Information Security
IGNITE Technologies
ENCRYPTED REVERSE
ENCRYPTED REVERSE

More Latest Published Posts

WORLD BANK GROUP
Global Cybersecurity Capacity Program
Global Cybersecurity Capacity Program
Gary Hinson
Getting started withsecurity metrics
Getting started withsecurity metrics
EDPS
Generative AI and the EUDPR.
Generative AI and the EUDPR.
Bright
2024 Guide to Application Security Testing Tools
2024 Guide to Application Security Testing Tools
HADESS
Hacker Culture
Hacker Culture
Quuensland Govermment
RISK ASSESSMENT PROCESS HANDBOOK
RISK ASSESSMENT PROCESS HANDBOOK
Ministry of MOS Security
HIPAA SIMPLIFIED
HIPAA SIMPLIFIED
Hacker Combat
How Are Passwords Cracked?
How Are Passwords Cracked?
CIS - Center for Internet Security
How to Plan a Cybersecurity Roadmap in Four Steps
How to Plan a Cybersecurity Roadmap in Four Steps
ACSC Australia
Information Security Manual
Information Security Manual
Kaspersky
Incident Response Playbook: Dark Web Breaches
Incident Response Playbook: Dark Web Breaches
ninjaOne
Endpoint Hardening Checklist
Endpoint Hardening Checklist
HADESS
Important Active Directory Attribute
Important Active Directory Attribute
ISA GLOBAL CYBERSECURITY ALLIANCE
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
Rajneesh Gupta
IAM Security CHECKLIST
IAM Security CHECKLIST
sqrrl
Hunt Evil
Hunt Evil
Searchinform
How to protect personal data and comply with regulations
How to protect personal data and comply with regulations
Giuseppe Manco
Threat Intelligence Platforms
Threat Intelligence Platforms
CSA Cloud Security Alliance
Hardware Security Module(HSM) as a Service
Hardware Security Module(HSM) as a Service
IGNITE Technologies
CREDENTIAL DUMPING FAKE SERVICES
CREDENTIAL DUMPING FAKE SERVICES
IGNITE Technologies
A Detailed Guide on Covenant
A Detailed Guide on Covenant
NIST
Computer Security Incident Handling Guide
Computer Security Incident Handling Guide
IGNITE Technologies
DIGITAL FORENSIC FTK IMAGER
DIGITAL FORENSIC FTK IMAGER
Accedere
Cloud Security Assessment
Cloud Security Assessment
YL VENTURES
CISO Reporting Landscape 2024
CISO Reporting Landscape 2024
CISO Edition
Reporting Cyber Risk to Boards
Reporting Cyber Risk to Boards
CIOB
CIOB Artificial Intelligence (AI) Playbook 2024
CIOB Artificial Intelligence (AI) Playbook 2024
INCIBE & SPAIN GOVERNMENT
Nuevas normativas de 2024 de ciberseguridad para vehículos
Nuevas normativas de 2024 de ciberseguridad para vehículos