8. Provide constant feedback on the security program.
Bring the financial team into your world as much as possible. Don't wait until you have an emergency and need immediate funding. Continually provide information to the financial team regarding the state of the cyber security world and your organization's place in it. This can be anything from a brief discussion in the hallway to forwarding an email on the latest threat.
9. Use outside resources to support your request.
If you are met with skepticism on your funding request, suggest that you bring in an outside cybersecurity expert to develop an independent third-party analysis/audit. If that doesn't work, bring in peers from other organizations in your vertical and have them conduct a peer review on your security operation. An "outside" opinion often seems to have more weight than that of internal staff.
10.Always emphasize that cyber security is not an "information technology" issue -- it is an organizational risk management issue.
Of all the considerations, this is perhaps the most important. Cyber security is not only addressed through the IT department, but also through human resources in the form of personnel policies; your legal counsel through the enforcement of policies; and your senior management team, who must always insist that their employees follow company policies and rules and who may be accountable to stakeholders and/or compliance organizations to meet laws and requirements. In a distributed environment, you are likely to have numerous parts of the organization continually adding and modifying new technologies, all of which can cause changes to your overall security posture.
Senior management and your financial decision-makers understand risk and dollars. Establishing good communication and maintaining it is critical to receiving the funding necessary to implement and maintain a sound cybersecurity program.
Sign up for CIO Asia eNewsletters.