10 tips to secure funding for a security program
Dominic Nessi, CIO for Los Angeles World Airports, outlines ten essential tips for getting your financial team on board with your security funding requests
By Dominic Nessi
April 19, 2013 — CSO —
Ask any cyber security specialist what their biggest challenge is, and you will get a variety of answers — ranging from strengthening network security, to managing internal threats, to protecting against cyber espionage. But upon further investigation, you may be surprised to learn that the unanimous pick for the biggest challenge cybersecurity professionals face is simply getting the funding necessary to carry out a security program. There are a great deal of resources and technical support available on how to deal with the never-ending list of threats that arise daily; and we have plenty of opportunities to learn and digest security best practices. However, little information or guidance is available to prepare one for the dreaded budget discussion when new or continued funding is necessary to maintain a strong cyber security posture.
Having established cyber security programs in two government organizations, the U.S. National Park Service, and now at Los Angeles World Airports, I have experienced a full range of discussions with a variety of financial teams. In all cases, good communication was the critical ingredient for success and resulted in the necessary funding, over a period of years, to establish and maintain a workable security program.
Most budget requests are accompanied by an ROI (return-on-investment) analysis. This is the language your financial team understands and with which they are most comfortable. A positive ROI is usually the difference between a positive and a negative decision on funding. However, cyber security budget requests are more difficult to quantify. Security ROI is typically expressed by comparing security investments with the potential liability caused by security breaches. This is similar to calculating the financial benefit of insurance for physical assets, such as buildings and equipment.
To start the budget discussion, you must stress cost avoidance rather than profits and you will need hard, empirical evidence to depict the business risks and associated costs. Interestingly, the specific nature of the threat, while critical to the security team, does not resonate with the financial staff. Their primary concern is the financial impact to the organization. Therefore, the best way to approach senior management to fund your cybersecurity program is to cast the expenditures using an ROI approach.
However, simply providing a well-defined ROI doesn't always guarantee success. There are a number of additional considerations when approaching senior management and your financial team when seeking funding.
1. Set the foundation for security funding before you need it; and once established, keep it strong.
If you haven't established a good working relationship with the financial decision-makers in your organization, you are already behind the curve. It is far better to have that relationship in advance of a budget request. If the first time they see you, your hand is out looking for funding, your chances of success are drastically reduced.