Recent guidance published by the National Association of Corporate Directors (NACD) and the Internet Security Alliance instructs board members to drive “a culture of corporate cyber responsibility” by empowering CISOs with the influence and resources they need to drive decisions where cybersecurity is effectively prioritized and not subordinated to cost, performance, and speed to market.
Although this sounds like a CISO’s dream come true, it doesn’t mean that boards will suddenly open the purse strings. Responsible to their shareholders, boards and executives will always be hyper-focused on the bottom line. Only now, with liability bearing down on them, they require accurate, risk-based funding requests qualifying the need, total cost of ownership, effectiveness, breach exposure and likelihood, and cost to the business should a breach occur.
Traditionally, CISOs haven’t communicated this information well enough to their boards, Chris Hetner, special advisor for Cyber Risk at the NACD, tells CSO. Hetner, who is also council member on the NASDAQ Center for Board Excellence, points to the July-updated SEC rules for cyber risk management implicating senior leaders in breaches. Board liability for risk is sinking in, he says, and as a result, board directors are rallying around cyber threats.
This trend definitely impacts how CISOs articulate the need for funding their security programs, Hetner continues. “As an investor, I need to know how you’re treating this risk compared to any other risk and why it matters. Juxtapose that with a CISO bringing in highly technical metrics and reports not understood by the board and you see the disconnect. You want to prepare a tailored, business-focused cyber risk report, ideally on a quarterly basis, that converts technical metrics into understandable, business-aligned metrics. Then, you’ll get your funding.”
Don’t go it alone when asking for cybersecurity funding
When it comes to funding requests, CISOs shouldn’t operate in a vacuum. Hetner suggests seeking allies on the board and executive team, including the CFO, and CEO. These people can help CISOs understand the business risk to frame their funding requests around and are often the same people to sign-off on them. He also suggests reaching out to other influencers in purchasing and the business units that will benefit from the funding request.
Finding allies is a key strategy for Michael Bray, CISO of the Vancouver Clinic in the state of Washington. He has gone so far to educate the board and C-suite on their fiduciary responsibilities when it comes to cyber risk and funding. “Who owns the risk?” he asks. “The board does. They also dictate the risk appetite, provide strategic direction, oversight, and governance for security best practices and spending requirements, as per standard business operation.” This extends to understanding risk assessments and mitigation strategies to protect assets and stakeholders, as well as ongoing compliance efforts, and incident response, which he terms “breach management” when speaking to the board.
Bray strives to hold regular and impromptu meetings with board members and executives. For example, he leads quarterly budget discussions with the board in addition to “tiered information” huddles once a week. He also huddles withsteering committees–some of which have board members on them who end up channeling his voice, he adds.
To deepen the alliance and to share knowledge up the chain, he takes short jaunts with senior executives to grab lunch, or to offsite industry meetups, or attend cool hacking events or eye-opening demonstrations. “Find ways to get on their calendar for seemingly non-related topics that don’t directly connect to budget,” he explains. “Because of these relationships, when we have an impromptu critical request, we’ve been one hundred percent supported on funding that we’ve requested.”
For example, in October Bray gave a short briefing to his leadership team about the potential impact to their operations related to Israeli war with the Hamas terrorist group. His company, he says, has several Israeli-supported security platforms in their portfolio, which he made executives aware of. He offered backup alternatives to have on the ready, along with projected costs should they need to go that route.
Demonstrate ROI, TCO, and the bottom line
IANS Research reported IT security budgets being stalled and slashed in 2022 and 2023. In such a climate, proving spending effectiveness against risk reduction and total cost of ownership over the lifetime of the solution is key to getting funding requests approved, notes Dd Budiharto, founder and CEO of Cyber Point Advisory, who’s served as CISO for several different oil and gas companies in Texas.
While reportable ROI is relatively unheard of in cybersecurity spending, it is possible to quantify additional benefits, cost reductions, and loss avoidance through risk reduction, notes Budiharto. For example, when requesting funding to implement a new SIEM solution a while back, she had to overcome the misconception that SIEM is only for security alerts.
“I told them that even though the money is coming from the security budget, this was a benefit to business operations in general. We showed how a SIEM monitors infrastructure server and network health, so the infrastructure team can be more responsive, accurate, and faster when troubleshooting network anomalies,” she explains.
Calculating total cost of ownership (TCO) is even more important to communicate when requesting funding, Budiharto continues. “I usually have an end-to-end model included in my proposals, from selection requirements to operation and maintenance, depreciation and amortization, ongoing licensing fees, people skills, and warranties covering the entire lifecycle of the solution,” she notes. “I invite every stakeholder to the table and solicit their requirements and input before presenting a purchasing option. This due diligence also applies to board-proposed spending requests.”
Calculate cost of not implementing security technology
Risk acceptance is the board’s prerogative. So, Budiharto advises CISOs to calculate and communicate the cost of not implementing the solution, including the likelihood of a breach or exposure, and the full financial impact of such a breach or exposure (from direct losses to cleanup costs) should the funding request be denied. “To the CFO, those savings should far outweigh the TCO of implementing and managing the solution,” she adds.
Putting it all together, she describes a scenario where a new solution needs to be added to the existing EDR to stop ransomware in its tracks, kill it, and remediate it faster and more thoroughly than their existing EDR does. “The board will ask, ‘How is that related to the bottom line?’ So, I calculate the loss of revenue in productivity and loss of business and multiply that by the average days of trying to resolve a ransomware attack under the current EDR system,” Budiharto explains. “These types of comparisons will help the board see the big picture, including how your solution will help avoid that big expense.”
Understand their risk appetite
How big of an expense is the board willing to incur should the worst happen is different for every organization, depending on the type of business and associated risk tolerance; along with mitigating factors such as cyber insurance payouts, sensitivity of data and the regulatory landscape.
NASDAQ’s Hetner explains that this is where he sees the most common disconnect between CISOs, who have no tolerance for risk, and their boards, who usually do. To this, he points to NACD’s cyber-risk reporting service, a third-party risk calculation platform that he says helps translate technical needs into enterprise risk and can assist CISOs in communicating cyber threats most likely to cause the highest financial and reputational losses, including cost to remediate and repair, in comparison to the corporate risk threshold.
The pay-for service is underpinned by the X-Analytics platform developed by Security Innovation Corporation. “When we updated the platform for CISOs to understand and communicate business exposure to cyber risks, one of the strongest use cases was board reporting to enable cyber risk oversight for directors,” says Kyle Ferguson, VP of operations at Secure Systems, during a demonstration of the platform.
Based on the demo, the tool automates many of the steps discussed in this article and scores them against a company’s risk tolerance, which are processes that CISOs are trying to do manually with spreadsheets and calculators. Ferguson says that the visualization and mapping helps all parties visualize where and where not to apply resources. “Success isn’t always more funding,” he adds. “Success might be making good use of the budget that you have, and spending on what really matters for the business.”