CSO Online – Deb Radcliff
This article discusses the relationship between cybersecurity funding and enterprise risk management.
Boards of directors are increasingly taking on more responsibility for purchasing decisions related to cybersecurity.
Recent guidance from the National Association of Corporate Directors (NACD) and the Internet Security Alliance emphasizes the importance of prioritizing cybersecurity and empowering Chief Information Security Officers (CISOs) with the necessary influence and resources.
However, this does not mean that boards will automatically allocate more funding for cybersecurity.
Boards and executives are still focused on the bottom line and require accurate, risk-based funding requests.
CISOs traditionally have not effectively communicated the importance of cybersecurity to their boards, resulting in a disconnect.
Boards now recognize their liability in the event of a breach, and as a result, they are becoming more aware of cyber threats.
To secure cybersecurity funding, CISOs should not operate alone.
It is advisable to seek allies on the board and executive team, such as the CFO and CEO, who can provide insights into the business risk and support funding requests.
Building relationships with influencers in purchasing and other business units can also be beneficial.
When requesting funding, CISOs should demonstrate the return on investment (ROI), total cost of ownership (TCO), and the impact on the bottom line.
While measurable ROI in cybersecurity spending is uncommon, it is possible to quantify other benefits, cost reductions, and loss avoidance through risk reduction.
CISOs should calculate the TCO of implementing security solutions and communicate the potential costs of not implementing them, including the likelihood of a breach and its financial impact.
Understanding the risk appetite of the board is crucial.
Each organization will have different tolerance levels for risk, considering factors such as cyber insurance, data sensitivity, and regulatory landscape.
Communicating cyber threats in terms of enterprise risk, rather than technical metrics, can help bridge the gap between CISOs and boards.
Third-party risk calculation platforms, such as the one provided by NACD, can assist in translating technical needs into enterprise risk and facilitate communication with the board.
Ultimately, success in securing cybersecurity funding may not always mean obtaining more funding but making effective use of the budget available and investing in what truly matters for the business.
Link: https://www.csoonline.com/article/656230/how-to-ask-the-board-and-c-suite-for-security-funding.html
How to ask the board and C-suite for security funding
Categories:
Tags: