The Battle of the Budget

April 4, 2018 | By Phil Gardner, IANS Founder & CEO


Why do some CISOs consistently command the budget and resources they need while others struggle? What can budget-constrained CISOs do to garner the support they need for their programs?

To answer these questions, we gathered insights from 85 information security leaders representing organizations with annual revenues greater than $500 million. The resulting research report, Winning the Battle of the Budget, reveals a number of budget-related best practices for CISOs.

Owning the Narrative

One of the main themes that emerged was the importance of owning the security narrative within the organization. Here’s what we learned from successful CISOs:

1.   Stories Beat Metrics: Although metrics can be powerful tools, several CISOs argued that when it comes to securing a budget, it’s more important to deliver cogent stories. “Metrics don’t matter,” one CISO told us. “Narrative matters. I think metrics are useful when they don’t have any other way to evaluate you, but if you can create the right narrative, I think metrics mean very little.”

2.   Craft Long-arc & Short-arc Stories: CISOs who have mastered the art of driving the narrative tend to develop two classes of security stories. One type tells a multi-year story of integrating InfoSec into the fabric of the company. This long-arc narrative understands the business and articulates how InfoSec powers growth and profitability. The short-arc stories detail particular investments and how they improve risk posture. Importantly, these two classes of security stories are coherent and fit well together. 

3.   Build Internal Channels & Alliances: Stories need audiences. When successful CISOs don’t have access to the key decision makers, they build and maintain informal channels and alliances to spread their message and advocate spending goals. One CISO explained: “I’m talking to peers or people lower in the organization to get things bubbled up in that executive’s area of responsibility. If I can get people on the executive’s team talking, it makes it a little more real for them.”

4.   Informal Conversations Count: Successful CISOs don't miss opportunities to communicate the value of InfoSec. They insist that even water-cooler chats can make a difference. One CISO started talking informally about IoT risks long before it was an actual threat. Another said that he makes a point to invite the CFO to meetings and tabletops whenever possible. These small, casual efforts keep security top-of-mind and often lead to long-term budget support.

5.   Avoid Technical Jargon: Finally, successful CISOs craft their stories in language that business leaders understand. They frame their technical solution in how it will benefit the business. If the listener does not understand the story because of jargon, then he or she is unlikely to retell or spread it within the organization.  

Establishing Credibility

The impact of these narratives also depends on the credibility of the storyteller, or how the CISO is regarded across departments and at the executive level. The report details several recommendations for improving credibility. One of the more surprising suggestions was to embrace cuts when possible, as this indicates an understanding of and respect for the larger needs of the business. “We have no fear about killing things off,” one CISO said. “When you save money and cut your own budget, people realize you aren’t just trying to get more.”

Winning the Battle

Somewhat surprisingly, the dichotomy between budget-constrained CISOs and those who command resources is not a matter of small and large organizations. Fortune-level companies with household names have CISOs who struggle to secure the necessary funds. Overall, our research revealed that 38% of CISOs are undersupported within their enterprise, while 62% are either supported or highly supported. The difference in stature depends on both the culture of the enterprise and the particular ways in which the CISO goes about the difficult task of elevating information security concerns within the company.

The good news, for undersupported CISOs, is that the situation does not have to be permanent. Our findings suggest that InfoSec leaders who learn to control the security narrative will advance their objectives, increase their stature, and ultimately win the battle of the budget.

To download a complimentary copy of the Winning the Battle of the Budget report, please visit https://www.iansresearch.com/battle-of-the-budget.



What we do.

We deliver what CISOs and their teams need most: unbiased, practical advice; the ability to speak with professionals who understand their challenges; and peer interaction to keep their knowledge and skills fresh and up-to-date.

  • Decision Support

    End-User Decision Support is our flagship offering delivered through an annual subscription service designed for CISOs and their teams. IANS connects you with independent experts and practitioners who have ‘been there, seen it, and done it,’ enabling you to accelerate your capabilities and make informed decisions.

    Learn More
  • Consulting

    We work with you to shape engagements and provision them with the right IANS Faculty experts. Your project will never be staffed with junior level consultants. Our expertise is built from hands-on experience. We staff your project with doers who recommend actions, and then help you take them.

    Learn More
  • Events

    Our events feature IANS Faculty members who offer a breadth of in-the-weeds advice and high-level guidance for the entire security team. Designed for you to engage with like-minded security professionals in a supportive environment, you’ll learn from a variety of industry approaches and use cases.

    Learn More