Chief Information Security Officers (CISOs) have historically chafed at budget constraints, with some pushing the envelope and bringing the case for stronger cyber defenses to the board room. New research indicates that executive decision-makers want InfoSec costs linked to business value and return on investment (ROI), and it’s CISOs who can deliver a compelling narrative to their peers that typically achieve this goal.
An IANS study indicates that CISOs today are hard pressed to overcome obstacles in enterprise security budgeting and risk management. The research shows IT security executives often find themselves battling on several key fronts. One such battle zone is the need for funding to keep their security programs strong.
“Despite promising numbers, however, executive decision-makers now want InfoSec costs inexorably linked to business value and return on investment. While some CISOs consistently command the budget and resources they need, others continue to struggle,” according to the report.
Another takeaway has to do with credibility, trust and influence. Regardless of size, reputation, maturity or corporate heft, security budgeting in organizations that inherently value information security looks completely different from those that pay less attention to this crucial aspect in a day and age dominated by digital economy.
This finding suggests corporate culture can make a huge difference in the way some CISOs are supported by their peers, while others aren’t. And if we look at a separate data set from the same research, that seems to be the case indeed.
38% of respondents considered themselves under-supported, while 62% described themselves as supported.
“Under-supported CISOs are expected to get the same products and services for either the same (42 percent) or less money (32 percent) as supported CISOs. Ultimately, Under-Supported CISOs are under more pressure and face more scrutiny for ongoing spend. Only 26 percent of Under-Supported CISOs said their ongoing spend is ‘pretty much left alone’ and that inflationary increases are accepted,” the report reads.
Furthermore, under-supported CISOs:
- suffer from a lack of corporate support
- rely more on technical narratives than on business justifications for budget requests
- are forced to fit spending into larger-encompassing IT budgets
- are in the early stages of risk prioritization, with reporting that lacks depth and context
- have difficulty reaching the organization’s most influential leaders because of long corporate reporting lines
But perhaps the key upshot from the IANS report is the importance for a CISO to display a high degree of eloquence when making the case for a stronger cyber-security budget.
“Somewhat surprisingly, a number of Fortune-level companies with household names have CISOs who struggle to secure the appropriate levels of funding,” said Phil Gardner, founder and CEO, IANS Research. “Although metrics are powerful, several CISOs expressed to us that when it comes to securing budget, it’s more important to deliver a narrative that business leaders can understand. CISOs who can deliver a compelling narrative on how InfoSec powers the business will advance their objectives, increase their stature and win the battle of the budget.” (emphasis ours)
So, key advice for up and coming CIOs and CISOs would be to do their homework before reaching out to their most influential peers, while at the same time aptly align security budgeting efforts with business value and ROI.