Ask any cyber security specialist what their biggest challenge is, and you will get a variety of answers — ranging from strengthening network security, to managing internal threats, to protecting against cyber espionage. But upon further investigation, you may be surprised to learn that the unanimous pick for the biggest challenge cybersecurity professionals face is simply getting the funding necessary to carry out a security program. There are a great deal of resources and technical support available on how to deal with the never-ending list of threats that arise daily; and we have plenty of opportunities to learn and digest security best practices. However, little information or guidance is available to prepare one for the dreaded budget discussion when new or continued funding is necessary to maintain a strong cyber security posture.
Having established cyber security programs in two government organizations, the U.S. National Park Service, and now at Los Angeles World Airports, I have experienced a full range of discussions with a variety of financial teams. In all cases, good communication was the critical ingredient for success and resulted in the necessary funding, over a period of years, to establish and maintain a workable security program.
Most budget requests are accompanied by an ROI (return-on-investment) analysis. This is the language your financial team understands and with which they are most comfortable. A positive ROI is usually the difference between a positive and a negative decision on funding. However, cyber security budget requests are more difficult to quantify. Security ROI is typically expressed by comparing security investments with the potential liability caused by security breaches. This is similar to calculating the financial benefit of insurance for physical assets, such as buildings and equipment.
To start the budget discussion, you must stress cost avoidance rather than profits and you will need hard, empirical evidence to depict the business risks and associated costs. Interestingly, the specific nature of the threat, while critical to the security team, does not resonate with the financial staff. Their primary concern is the financial impact to the organization. Therefore, the best way to approach senior management to fund your cybersecurity program is to cast the expenditures using an ROI approach.
However, simply providing a well-defined ROI doesn't always guarantee success. There are a number of additional considerations when approaching senior management and your financial team when seeking funding.
1. Set the foundation for security funding before you need it; and once established, keep it strong.
If you haven't established a good working relationship with the financial decision-makers in your organization, you are already behind the curve. It is far better to have that relationship in advance of a budget request. If the first time they see you, your hand is out looking for funding, your chances of success are drastically reduced.
2.Don't use scare tactics.
They may work at first, but eventually, if you are successful in keeping your organization safe, this tactic may actually backfire. Your financial officer will only see that they provided funding and nothing happened.
3. Establish your cybersecurity credentials within your organization.
It is important for both you and your security team members to acquire security credentials, such as the Certified Information Systems Security Professional (CISSP) and the Certified Information Security Manager (CISM). This gives your financial team confidence that you have the expertise to identify the risks and are able to plan and implement a security program that meets the threats facing your organization. Take advantage of the plethora of security seminars, webinars, and magazine articles that provide the most current information on threats and safeguards. And don't be afraid to share some of the non-technical materials you come across with senior management.
4. Relate your security risks to the business.
Identifying the technical aspects of malware threats, hacking, and Denial of Service (DoS) attacks will be almost incomprehensible to your senior management and financial decision-makers. Relating the threats to the impact on the business is far more meaningful. For example, if you rely on the Internet for sales and you have to shut down your Web portal, the specific cause is not a priority to senior management. The fact that you had to shut off your primary business conduit is the critical point.
5. Outline the need in plain English.
Never speak in technical terms to senior management or your financial team. In order to establish a strong communication channel, you need to have two-way communication about security issues, not a one-sided description of technical challenges. To have a two-way conversation, you need to frame the discussion with language that everyone can understand.
6. Develop a plan that meets the security needs but also considers financial constraints.
When meeting with the financial team, remember that very few organizations are free of financial constraints. It is unlikely that your organization has unlimited funds. You can show your understanding of their constraints by doing a little research on organizational funding practices and demonstrating your desire to make reasonable requests. They will likely appreciate your desire to understand the constraints in their job and will be more willing to assist you in performing your job.
7. Once you get the funding, follow the plan you outlined.
One of the most important things you can do to build trust with your financial officer is to use the funding provided exactly as you had outlined you would in your presentation. Nothing reduces the confidence in your approach more quickly than saying you need the funding for one thing and then spending it on something else. And, if changes become necessary, do consult with the financial team. Never surprise them with expenditures for things on which they have not previously been briefed.
8. Provide constant feedback on the security program.
Bring the financial team into your world as much as possible. Don't wait until you have an emergency and need immediate funding. Continually provide information to the financial team regarding the state of the cyber security world and your organization's place in it. This can be anything from a brief discussion in the hallway to forwarding an email on the latest threat.
9. Use outside resources to support your request.
If you are met with skepticism on your funding request, suggest that you bring in an outside cybersecurity expert to develop an independent third-party analysis/audit. If that doesn't work, bring in peers from other organizations in your vertical and have them conduct a peer review on your security operation. An "outside" opinion often seems to have more weight than that of internal staff.
10.Always emphasize that cyber security is not an "information technology" issue — it is an organizational risk management issue.
Of all the considerations, this is perhaps the most important. Cyber security is not only addressed through the IT department, but also through human resources in the form of personnel policies; your legal counsel through the enforcement of policies; and your senior management team, who must always insist that their employees follow company policies and rules and who may be accountable to stakeholders and/or compliance organizations to meet laws and requirements. In a distributed environment, you are likely to have numerous parts of the organization continually adding and modifying new technologies, all of which can cause changes to your overall security posture.
Senior management and your financial decision-makers understand risk and dollars. Establishing good communication and maintaining it is critical to receiving the funding necessary to implement and maintain a sound cybersecurity program.
Dominic Nessi is the Chief Information Officer for Los Angeles World Airports