Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Guest View: Security budgets: How to get your C-Suite’s attention

Rick Howard, Chief Security Officer, Palo Alto Networks | Jan. 29, 2014
As a security professional, I have found that if you want to get the executive suite’s attention, you have to frame your security budget proposals in terms of real business risk.

It's helpful to provide at least one real world, preferably recent example of each of these adversary motivations to show what the cost was to the business. A few years ago, for example, a disgruntled employee at Steven E Hutchins Architects destroyed seven years of customer data as well backup data. It cost the business $2.5 million to restore it.

The cyber adversary motivations that migrate to the top right of your Cyber Risk Heat Map are the risks you are trying to reduce. When you put Cyber Risk in the Top 15 of the overall Business Heat Map, the cyber adversary motivations that are in the top right of the Cyber Risk Heat Map are what you are referring to.

Explaining Mitigation 

The next step is to show how you, as the security professional managing the infrastructure, mitigate those risks. Again, this is not a technical discussion - it's an approach. I'd begin by discussing the Cyber Kill Chain.

Regardless of the motivation, every adversary will follow the Kill Chain approach into your network to be successful:

  1. Recon to find vulnerabilities in the company's defense.
  2. Develop a weapon to leverage any found vulnerabilities
  3. Deliver the weapon
  4. Install the weapon
  5. Establish Command & Control
  6. Deliver and Install the malcode package that will accomplish the task: steal credit card numbers, steal PII, destroy data, damage equipment, etc.
  7. Exfiltrate stolen information if that is the goal
  8. (Optional) Compromise more computers laterally

Adversaries have to be successful at all seven links in the Kill Chain to accomplish their overall objective. The defense only has to be successful once in the Kill Chain to stop them, however, and a good strategy is to place mitigation controls at each level of the Kill Chain and monitor for activity.

At this point, it's useful and illustrative to show examples of adversary activity down the Kill Chain for the past year; in other words, how far the attackers got down the Kill Chain and what we did about it. I'd close by evaluating the strength of our controls at each level in the Kill Chain. If I did everything correctly and pleaded my case, the weakest link in our Kill Chain defenses should be precisely the pet project that I am pushing in this year's budget.


The process I described allows security practitioners to clinically evaluate the risks to the business. For example, cyber hacktivism is a very scary thing but perhaps the impact to the business, if it were to happen, would not be material. It might be serious, but even toward the lower end of a range depending on your business sector and who your customer base is.

So take a prescriptive approach. Instead of trying to convince the C-Suite to spend money on cyber defense because, you know, it is cyber and it is scary, you can show them exactly what they are spending the money for and why it's important.


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.