BUSINESS SURVEILLANCE
THE CISO CHALLENGE OF BUDGETING
As a result of the impact that COVID-19 has had on businesses , CISOs are under more pressure than ever to make informed decisions on where they invest their budget . Dietrich Benjes , VP and GM APAC , Qualys , explains why CISOs need to conduct a thorough assessment of their current security posture and evaluate how security can contribute to business objectives and priorities , in order to manage their budget accordingly .
T
‘ defensive ’ mode . he primary role of a CISO is to protect the business , its people and its data , but this doesn ’ t mean purely acting in
In fact , a growing part of a CISO ’ s responsibility is to find ways to actively support and contribute to wider business priorities . According to Gartner , over 30 % of a CISO ’ s effectiveness will be directly measured on their ability to create value for the business by 2023 . This means CISOs must increasingly plan and manage their operational budgets with this type of value creation top of mind .
From the work my team and I do with rapidly expanding businesses across Asia Pacific , there are a few key points a CISO needs to remember when it comes to budgeting :
Solidify and expand relationships with other departments
Where possible , demonstrate how your budget decisions link directly to how your business generates revenue or accomplish other business goals such as operational efficiency .
This establishes you as a business partner and cybersecurity as a business enabler , rather than a cost centre . Does it align with the business plan , protect existing revenue sources and have controls in place for newly created revenue streams from new products , acquisitions or new locations ?
Alongside this , look at how to demonstrate your business acumen as well as your technology expertise . Wherever possible , you should explain cybersecurity risks based on business impact and use business language and risk profiles to find ways to enable new initiatives while minimising those potential issues over time .
Taking this risk-based approach does require you to develop strong relationships with multiple business functions within an organisation .
This involves finding common ground to start with and then using these joint concerns to engage in a consultative manner on ways security can help . By starting with business concerns , you can link your budget spend to results .
Take stock of what you have
A typical approach to allocating budget will start with your most important priorities . However , to deliver this , your priorities have to be accurate . The budget cycle should start with an assessment of company assets and risks , and an accurate overview of your IT assets and resources too .
Understanding the most critical assets for the business will ensure they are assigned adequate protection , but you also have to know everything is in place .
The assessment findings will be integral for your budgeting planning and recommendations . For instance , it ’ s still quite common to find companies that don ’ t have accurate IT asset inventories , or that lack key mitigation elements such as anti-phishing training , cybersecurity indemnity contractual clauses with business partners , cyber insurance coverage and crisis management framework .
62 www . intelligentciso . com