During annual budget negotiations, there is always a question about spending priorities. As a security professional, I have found that if you want to get the executive suite's attention, you have to frame your security budget proposals in terms of real business risk. You don't want bogeyman-style, Fear Uncertainty and Doubt (FUD)-driven presentations but you do want an honest evaluation of the true risk of a cyber event to the business.
Don't make these presentations too technical, at least in the beginning. You have to get your executives' attention first or else you'll wear them down with geek-speak long before you get to explain your pet project. I always begin with what I call the Business Heat Map.
Most mid-to-large size businesses have some form of this graphic to present to the Board of Directors on a regular basis. It usually shows the Top 10-15 business risks to the company on a grid. The X-axis shows how likely the threat that causes the risk will actually happen, usually presented as a range from "Remote" to "Almost Certain." The Y-Axis shows the impact to the business if it does happen, presented as a range from "Very Low" to "Material" impact.
Your first battle is to make sure that cybersecurity risks make that Top 15 list. In other words, you're not even in the budget conversation unless the C-Suite acknowledges that there is actual business risk from a cyber vector along with the other risks that causes them concern: pending lawsuits, M&A Activity, loss of reputation, and so on.
Explaining Cybersecurity As A Compelling Risk
Once I've established cybersecurity as a compelling risk, I like to build a Cyber Risk Heat Map just for the category, and show all of the cybersecurity risks that you and your team are tracking.
Again, this discussion with your budget makers shouldn't be technical - it is an overview, explained for an executive audience. We are not trying to show the 1,000 potential ways that an adversary can get into the network. We are trying to show the C-suite who the adversary is.
A good way to start is by putting the most likely cyber adversary motivations on the heat map:
- Cyber espionage
- Cyber crime
- Cyber hacktivism
- Cyber terrorism
- Cyber warfare
- Disgruntled employee
I would cheat a bit and add "insider threat" to the map because the question always comes up. That's a cheat because an insider threat can come in the form of any of these cyber adversary motivations - it's really more of a tactic and not quite a "motivation." But if you add it to the list of what to explain, you'll head off questions about your chart.
Where you place these adversary motivations on your heat map is likely to be different depending on your business sector. A financial services business, for example, might place cyber crime high and to the right on the heat map, whereas a manufacturing business might have it low and to the left.
Sign up for CIO Asia eNewsletters.