Knowing which areas to focus on in a cybersecurity budget to drive the most significant business value is a must-have skill for CISOs.
Deloitte recently found that cybersecurity is core to cloud-based digital transformation, accounting for nearly 50% of the initiatives’ success. As they look at benchmarking and budgeting as the first step in driving revenue gains and advancing their careers, CISOs need to capitalize on every opportunity to link their spending to revenue gains.
That mindset is essential for CISOs who wants to get a board-level position and show that they know how to use cybersecurity budgets to help support and drive revenue.
“I’m seeing more and more CISOs joining boards,” CrowdStrike cofounder and CEO George Kurtz said during a keynote at his company’s annual Fal.Con. “I think this is a great opportunity for everyone here [at Fal.Con and in the industry] to understand their impact on a company. From a career perspective, it’s great to be part of that boardroom and help them on the journey.”
Knowing how much consolidation is enough
Those CISOs who get it are turning their tech stacks’ complexity and high maintenance costs into consolidation opportunities that improve cyber-resiliencies, increase visibility and control and reduce gaps in their security posture. Consolidation is a given for every CISO inheriting a large, complex and costly tech stack that needs to be factored down to improve scale.
CrowdStrike was early in identifying the need to support CISOs who must consolidate tech stacks to help drive more revenue. By devising a growth strategy that benefits their growth and their customers’ security postures, CrowdStrike helps customers strike the best possible balance between consolidation and new investments in software and services. By providing a methodology and internally based benchmarks, CrowdStrike has a strong record of helping customers understand the optimal level of consolidation given their unique business requirements.
Like CrowdStrike, Palo Alto Networks has defined a consolidation strategy for its customers. While their consolidation strategies differ, both CrowdStrike and Palo Alto Networks look to bring greater scale through cost savings while driving upsell and cross-sell revenue. Each maintains a strong focus on getting budgets and benchmarking right.
Quantify risk to get the board’s buy-in
Selling a board of directors and CEO on a cybersecurity budget must begin by defining it in terms that quickly grab attention and buy-in. CISOs tell VentureBeat that they are most successful in winning budget battles by explaining the downside revenue risk of not securing an enterprise area, then using that data to quantify cyber-risks.
Further strengthening the case for cybersecurity budget approval requires explaining the potential impact of a breach on revenues and the risks of not having a specific threat detection and response system in place. This must be quantified with cyber-risk data and strengthened with industry-standard benchmarks. Chief risk officers (CROs) and CISOs who collaborate and excel at cyber-risk quantification stand a better chance of having their budgets funded.
Cyber-risk quantification is a technique for defining and expanding budgets for zero-trust security frameworks and initiatives.
“Risk quantification helps you assess the value of cybersecurity projects using a commonly understood framework that ascribes a financial value to each prioritized decision based on statistical modeling of risk and expected loss,” Mark Tattersall writes in his blog post The Business Case for Risk Quantification.
Quantifying risk is essential to benchmarking in the right context so that CISOs can have guardrails for making the best decisions.
Cybersecurity benchmarking essential to growing a business
As Kurtz put it at Fal.Con: “Adding security should be a business enabler. It should be something that adds to your business resiliency, and it should be something that helps protect the productivity gains of digital transformation.”
Kurtz’s comments proved prescient, as a Deloitte study completed later in 2022 quantified just how critical cybersecurity is to all digital transformation initiatives — with the cloud being the most important.
“This means that security is now a driver of corporate strategy rather than buried as an operational line item only to be managed and measured as a cost,” Chris Gilchrist, principal analyst at Forrester, said during a session at Forrester’s Security and Risk Forum 2022. “In other words, security now has the latitude to defend and drive growth.”
By Louis Columbus