CISO Series: Budgeting
I have provided a brief overview of the genesis of the CISO series, and now it is time to tackle our first topic: security budgets. Whether you're the CISO of a large public company or leading security at an early-stage startup, rich in headcount or forced to be tight with the purse strings, reporting into the CIO, COO, or elsewhere in the organization, the fact remains that budget conversations are among the most critical and strategic conversations a security executive can have. Often times, setting a budget plan equates to prioritizing security projects for the business, which gives even more weight to the process.
In this series, we have captured some recommendations for CISOs seeking to use budgetary discussions for career growth; the takeaways often bleed into one another, so don't be surprised when you see overlap. The crux is that, as a CISO, you must make a case for budget in terms which are easily understood by upper management, while sidestepping the common stigmas that still plague security teams today (getting past that house of ‘no' banner). Use empowerment, rather than fear, to your advantage.
Of the many CISOs I've spoken to, all proved that they take their role seriously, especially the fiduciary duty to stakeholders, customers, and all aspects of the business ecosystem.
1. Whatever you do, don't under deliver.
One CISO labeled this the “deadly sin” of budgeting, and for good reason: in nearly all the discussions I had, CISOs agreed that promising the moon to get more budget will come back to bite you. “Do not ask for more budget than you will effectively be able to use,” another underscored. “You need to gain trust, especially if you're new to the position. Convince the board that you're effectively running security by not allowing money to be spent without results.”
In the same vein, CISOs have to spend the money that they ask for – so coming in significantly under budget will not win you points either, especially if your company reports to the street. “I'm hyper aware of forecast, versus budget,” one interview subject explained. “Where I work, the budget is mostly guesswork; the forecast is what really matters. I have a weekly meeting with finance to walk through department spend: what's been delayed, what might not be happening, and where we can pull from to compensate for the fact that some work may not be starting.”
Unsurprisingly, the human element plays a large part in determining how much a security team can reasonably deliver. Projects rarely finish on time, be fully aware in planning how other teams impact your ability to execute and deliver. Moreover, security professionals are in high demand but short supply, and some degree of turnover is inevitable – so plan with attrition in mind.
So, in financial conversations, how do you set expectations accordingly? It's all about delivering value; CISOs who have had successful budget discussions said they focused on efforts that support business initiatives, as these find the most support and help to gain internal champions. “I create a prioritized list of initiatives, and IT often has final say over what's above or below the line,” says a CISO. “They can sometimes see security as simply a cost center, so I always make a point to schedule a conversation that underscores which parts are crucial to the business.”
“The budget plan you deliver may be carried to higher echelons,” adds another, “so understand how the influence you exert can gain you a seat at the adults' table.”
The idea that a CISO's job hinges on influence, rather than command and control, is one that resonated throughout nearly all the interviews (they must be more of a personal trainer than a drill sergeant). To establish clout, one interview subject said, “I try to present my teams as force multipliers. In other words, what can they deliver that will magnify the impact of other key business initiatives? I don't necessarily mean from a revenue or cost reduction standpoint, more so in the ability of the business to be compliant with contractual obligations that the business is already under.”
2. Budgets are about more than just the cost of technology.
While under delivering can be a serious setback, that's wasn't the only cardinal sin of budgeting that CISOs underscored. Another common mistake: “starting with the technology – simply looking at the solutions you have in place and not taking external factors into account.”
Why is this a problem, exactly? “The best way to screw up budget is to look at all the different tools and solutions you have,” explains one CISO. “You then say, ‘Oh I need an antimalware solution because I don't have one, so I'm going to go ahead and budget for that.' I call this silo budgeting, and it will mess things up. Give other departments the chance to add input. During the discovery process, talk to partner teams to capture their requirements, concerns, and success criteria. Perfect compliance with that guidance won't be required, but it can help inform your strategy and earn you internal champions. Their participation will help ensure that the business sees value. And when the business sees value, everybody wins.”
Avoiding a myopic, technology-driven view of budget not only ensures a stronger security program, it also helps in conversations with finance. “You will need to justify your decisions,” was something that several CISOs told me. “There's often a perception that things have been done a certain way in the past, so people will ask, ‘Why do you need more money or more headcount now?' Have those conversations early, and be patient when having them. [One CISO used a sock puppet analogy here.] And remember, the world has changed and breaches have huge repercussions, which you can use to your advantage.” (We'll explore this concept more in takeaway #4.)
Another added: “Look at the business plan and let that inform your security strategy. Evaluate the basics – what you need to do to keep the lights on – as well as what you can do to protect and acquire revenue. What revenue streams may be generated, and what controls do you have in place to protect those revenue streams? What risk might be introduced into the organization, based on the direction that the business is going to take?” One CISO factored IoT issues into his strategic plan. “Be aware of what you connect to the Internet,” he advised, alluding to the fact that more Internet connectivity will create more entry points for attackers.
Headcount is also a key element. Several of the CISOs I spoke to were at high-growth organizations, but even those that weren't echoed the need to consider the human element in order to maintain or get to scale. One CISO emphasized the importance of the decision to keep in-house work versus hiring an external agency: “Does it make sense for me to hire technicians for my data center, or can I pool the work? Should I outsource this service, which would support the SMB community?” Regardless of whether it's your team, a partner, or a contractor, hours equal dollars spent. It's just a question of what makes the most sense from a resource perspective. “I look closely at the scope of effort and say, okay here's what I believe the hours will be,” recommended a CISO. “That way I can estimate the amount of money it will require. Once the list is vetted, we start plugging in capital dollars – hardware and software licensing, consulting, special services, and so on to get a final number.”
3. Prioritize your budget effectively. Understand what's “must do” vs. “could do.”
“Some things need to get done. Period.”
Budgeting is an exercise between wants and needs. In nearly every conversation I had, CISOs felt the pain of having to say goodbye to projects that simply didn't warrant time or money that particular year. The trick is to prioritize accordingly. One CISO shared his team's strategy, which was highly effective: “My team looks at what we want to do over the next 18 months. It's not a laundry list, it's a targeted game plan that we hash out, argue over, and discuss at length. If we don't think we can complete a particular initiative, then we cut it – we're not going to ask for the money if we can't deliver.”
In most cases, the CFO planning group and IT weigh in after priorities have been determined. A strong strategy is to establish a collaborative dialogue in which security can explain the underlying rationale, to gain buy-in from other parties. As one CISO explained, “We draw a line with IT. While projects below the line can still be funded, the understanding is that they simply aren't a high priority. That's when we start plugging in numbers.”
“When projects are not well understood, they get cut and security suffers,” adds another. “That's on me, because it means I didn't establish the value well enough.” Lower priority activities typically included general maintenance, such as systems nearing end of life and other routine enhancements perceived as taking more time than they are worth.
There is an art to building the case for a higher priority activity. Compliance mandates, unsurprisingly, tend to float to the top. Many of the CISOs I spoke to acknowledged that PCI almost always falls above the line and one “sprinkles PCI data throughout” his network in order to be strategic about leveraging compliance to his advantage. One freely admitted that “compliance does not equal security, but it certainly helps to lay the groundwork.” Another added, “External clients are excellent motivators – you don't have to sell the business on something if their biggest client will.” Then there are the CISOs who have high profile projects, such as building a SOC, in which case it's less arduous to get stakeholder buy-in: “Adding an incident management team was a big company initiative when we were building the SOC.”
CISOs must inevitably capitulate, to a certain extent. “A lot of what we're driven to do is to use our enterprise licensing better,” a CISO at a large corporation told me. “That can be counter to good security, so my job is to look at how we can be cost effective while still being focused on more advanced threat detection and response.”