CISO Series: Budgeting Part II
Hopefully you've read (and maybe even benefitted from) Part I of my CISO Budgeting blog. To recap, I interviewed a group of CISOs about how they use budgetary discussions for career growth, and what advice they'd give to others looking to set a budget plan. There were five key takeaways that came out of these interviews; here were the first three:
- Whatever you do, don't under deliver.
- Budgets are about more than just the cost of technology.
- Prioritize your budget effectively. Understand what's “must do” vs. “could do.”
Below are the remaining two.
4. It is a good time for security.
The conversation has changed, in a big way. Preaching that “we really need to do this” has been replaced. “The era of the mega breach has captured the attention of my business,” said one CISO, referring to the fact that when partners, customers, or even competitors are in the news, security typically skyrockets to the top of the business agenda.
Most of the CISOs I spoke with said that, while panic-inducing, large-scale breaches have contributed to a heavy atmosphere of FUD (fear, uncertainty, and doubt), they've also made security a boardroom topic. And that's a reality they often use to their advantage. However, the question of just how much FUD is appropriate was a point of some contention.
On the one hand, certain CISOs acknowledged the underlying validity and usefulness: “Just because it's FUD doesn't mean it's not true. I turn it on a little bit when finance pushes back on budget – when they ask, ‘Why are you telling me that you need this now, when it hasn't been a priority in the past?' I simply tell them that it's stuff we should have been doing all along, and that we need to prevent ourselves from becoming a headline. For instance, we don't want to skimp on human capital when it comes to analysis and response.”
Conversely, some of the interview subjects felt that using FUD tactics was an unfair and unproductive way to approach budget discussions. One CISO, for example, acknowledged that “security has historically been met with skepticism, and hasn't gotten proper credibility with regards to delivering business value.” He added that, while the so-called “era of the mega breach” has certainly affected that perception, “if I don't run security well, or if I operate from a position of FUD, then I won't earn the right level of trust from my colleagues. These are partnerships that have to be built well in order for me to be successful.” Another echoed the same sentiment: “In order to get the business rallied around what I'm doing, I have talk like a business guy.”
All the interview subjects were in agreement that budgetary discussions have become easier (if still not easy) thanks to the increased level of security awareness. A side effect of this unfortunate reality is that it has given CISOs more organizational visibility – which means they must set expectations accordingly. Any security practitioner knows that there is no silver bullet when it comes to preventing attacks; the important thing is to manage risk. “There's no such thing as being invulnerable,” said one. “I manage risk, so it's just about managing how vulnerable we are.” Put another way, enabling the business to make informed decisions with regards to accepting or mitigating risk is the path to success. Most of the people in finance are not comfortable making that call.
5. Work on those soft skills.
In the course of their work, CISOs must employ one critical business tactic above all others: strategically navigating the political landscape of the business. This means approaching even tough budget conversations with patience, savvy, and empathy.
“I understand that I'm the personal trainer you didn't ask for,” one CISO said. “I'm coming in and telling you that your eating habits suck, you're 30 pounds overweight, and you need to work out more – all without you asking.” Another added, “As a security executive, you want to be able to generate demand for your services; that means executing well from a tactical perspective. Make people want to engage with you.”
Strong interpersonal skills are critical at the CISO level, but they're not qualities that are strongly emphasized throughout the course of a security professional's career. “Too often, as security professionals, we feel like the king of our domain,” an interview subject told me. “It's important to behave like a subject matter expert while still showing empathy; it's easy to transcend into over-confidence or even arrogance. Security is no longer a silo discipline, it's a matrix discipline that requires input from different parties. Bring people in, make them feel like they're part of the solution – it's almost like a Jedi mind trick.”
The necessity of building trust throughout the organization was a theme in nearly every interview I conducted. Time and again, the CISOs I spoke with underscored the importance of having productive discussions, effective interactions, and forging strong relationships – all of which come into play when it's time to plan a budget.
“Building trust with finance is huge,” said one. “I cultivated a relationship with the managing director early on, and it really paid off when I needed money down the line. Just do the gauntlet; be ready to answer the same question a million times, and wear a smile the whole time because you will, eventually, get there.” Many agreed that dealing with finance is often frustrating, and that patience is core to those conversations: “It's a little bit of a chess game; mostly finance just wants a good explanation of what you're going to do with the money. So be ready to explain it in layman's terms. And remember, value is measured in managing risk.”
So there it is, folks. If you're a security professional approaching budget-planning time, hopefully the wisdom and experiences of these seasoned CISOs will help guide you on your journey. It is by no means an easy process (I'd be hard-pressed to find any interview subject who exhibited enthusiasm about setting a budget plan) but it's a great opportunity to demonstrate aptitude for prioritizing, building trust, understanding the needs of the business, collaborating effectively, and gaining stakeholder buy-in.
For my part, conducting these interviews reminded me of how strongly connected security professionals feel to their colleagues. We see ourselves as a part of a larger web, small yet not insignificant, and integral to the success of the business. On the whole, the CISOs I spoke with displayed a great desire to provide sound guidance and deliver proven value, not just to further their own career paths but also because, to them, security is a way of life. The quote that sprang to my mind is from the Dalai Lama, who told us to “be the change.” It's doubtful that he was talking specifically about CISOs, but it certainly applies.
Up next: CISOs discuss the so-called “Talent Gap.” Does it exist? What does it mean? How can we cope with it?
If you've got thoughts, feedback, or know people you'd like heard and contributing to this project…let us know!