Overcoming InfoSec Budget Apprehension: 3 Proven Tips to Ensure CISO Success and Job Satisfaction
Demetrios Lazarikos (Laz)
April 18, 2022
According to Gartner, worldwide security and risk management spending may be under greater scrutiny in 2021compared to previous years. So that leads to two questions for us CISOs: How do we deal with the added pressure of getting our budgets approved? And how do we ensure our personal success and job satisfaction at the same time?
To start, remember the teams we belong to. Our internal security team begins with us. We, as the leaders, need to remain confident and strong. We are also part of a bigger team (the executive staff) and an even bigger team yet—the entire CISO community.
Also recognize that the well-known triad of People + Process + Technology means nothing if we don’t sync it with an agreed-upon process of Assessing + Strategizing + Planning security that aligns to our business objectives. It is critical in our roles that we prepare for the inevitable.
We also need to realize we’re moving at the speed of innovation, and there is a perpetual target on us as well as our team(s), our company, and our community. But how do we get that target off our back without painting it onto someone else and find a way to align our efforts with business objectives?
Here are three proven tips to point you down the right path:
TIP 1: Understand and Become One with the Business
Security has evolved to be top-of-mind for most boards and executive leadership teams. Your executive peers may watch the news and wonder how the latest security threats will impact your business. This is natural, and yes, this is important to discuss; security has to be part of the business DNA.
Yet, it can’t be only about threat and risk, when working with the business, it’s critical to ensure that you, your team, and the program are aligned to what really matters: meeting the business objectives. Here are the key questions we need to consider:
- What are the current growth plans and revenues for the quarter?
- How did the company do last quarter?
- If the company exceeds target revenue projections this quarter, which projects will get accelerated?
- How will projects be included as part of this acceleration?
Alternatively, if your company is not meeting sales numbers, which projects get cut? How will your projects be evaluated for any delays or if projects are cut?
There’s an additional point about seasons that I touch on next: some of this shouldn’t come as a surprise if you are engaged at the business level and paying attention.
TIP 2: Remove Roadblocks and Understand the Business Seasons
It’s 2021: Why are InfoSec teams still viewed as obstacles and not enablers? To dispel this paradigm, don’t be the person (or team) throwing up roadblocks at every turn. It’s our job to find creative ways to remove obstacles when working with the business—these activities are critical and necessary.
A roadblock left in place could be that one thing stopping the company from reaching its goals. And that’s a career-limiting move, so ask yourself, “How can we enable the business?”
When presented with what may look like a barrier to success, come up with a solution to the problem. It doesn’t have to be a “by the book” solution—there are unique ways to partner with business leaders and ensure we don’t crash through the roadblock. Our solutions are critical in protecting risk to revenue, and they may not be timed exactly with mapping to the season of the business. The season of your business will be dictated by the industry you’re in. Remember the point I made above about knowing how well the company is doing?
Now’s a good time to take this full circle. For example, retailers may thrive on back-to-school specials and year-end holidays while a FinTech company may focus on offering lower interest rates throughout a 12-month period. Each industry will have its own season. Each season impacts risk – and revenue – and projects.
That’s why it’s important to ask yourself, “What are your business seasons and how are you aligning your program to each season?”
TIP 3: Communicate with Clarity and Confidence
Being a modern-day CISO means we have to explain things in business terms. Every time we set out to present at any level of the organization, we must explain things in a language the business will understand.
One of the most compelling things we can do is to really understand our audiences. Cybersecurity storytelling has to be shaped for our audiences and telling a story that the business understands goes a long way.
For example, if you’re currently struggling with how to explain the number of repeated connections hitting your WAF to your business peers, consider positioning something like this:
Our website is still functioning because of the security controls we put in place; however, we still have high-risk countries that we don’t do business with that are trying to access sensitive areas of the site (login, transaction pages).
As shown in this example, the information you present and communicate needs to be succinct, to the point, and represented in a way that your audience knows what to do with the information they receive.
At the End of the Day, It’s Up to Us
To overcome InfoSec budget apprehension while ensuring success and job satisfaction, it’s up to us CISOs to ensure we communicate well. So, let’s be clear…some of our listeners will understand what we’re discussing; and some won’t. Some will just get it; others won’t have a clue.
But at the end of the day, it’s our job to ensure we communicate with clarity and confidence. And when we do, we will be much more likely to secure the budgets we need so we can implement strong security postures across our organizations and enable the business to succeed. And that will make our jobs a lot more satisfying!
To learn more about Blue Lava and join our CISO community, be sure to follow us on LinkedIn.
Laz has 30+ years industry experience, is a 3x CISO, the Co-Founder of Blue Lava, and is a globally-recognized authority in Information Security. He welcomes your feedback and can be reached at: laz at bluelava dot io.