The Battle of the Budget
April 4, 2018 | By Phil Gardner, IANS Founder & CEO
Why do some CISOs consistently command the budget and resources they need while others struggle? What can budget-constrained CISOs do to garner the support they need for their programs?
To answer these questions, we gathered insights from 85 information security leaders representing organizations with annual revenues greater than $500 million. The resulting research report, Winning the Battle of the Budget, reveals
a number of budget-related best practices for CISOs.
Owning the Narrative
One of the main themes that emerged was the importance of owning the security narrative within the organization. Here’s what we learned from successful CISOs:
1. Stories Beat Metrics: Although metrics can be powerful tools, several CISOs argued that when it comes to securing a budget, it’s more important to deliver cogent stories. “Metrics don’t
matter,” one CISO told us. “Narrative matters. I think metrics are useful when they don’t have any other way to evaluate you, but if you can create the right narrative, I think metrics mean very little.”
2. Craft Long-arc & Short-arc Stories: CISOs who have mastered the art of driving the narrative tend to develop two classes of security stories. One type tells a multi-year story of integrating InfoSec
into the fabric of the company. This long-arc narrative understands the business and articulates how InfoSec powers growth and profitability. The short-arc stories detail particular investments and how they improve risk posture. Importantly,
these two classes of security stories are coherent and fit well together.
3. Build Internal Channels & Alliances: Stories need audiences. When successful CISOs don’t have access to the key decision makers, they build and maintain informal channels and alliances to spread
their message and advocate spending goals. One CISO explained: “I’m talking to peers or people lower in the organization to get things bubbled up in that executive’s area of responsibility. If I can get people on the
executive’s team talking, it makes it a little more real for them.”
4. Informal Conversations Count: Successful CISOs don't miss opportunities to communicate the value of InfoSec. They insist that even water-cooler chats can make a difference. One CISO started talking informally
about IoT risks long before it was an actual threat. Another said that he makes a point to invite the CFO to meetings and tabletops whenever possible. These small, casual efforts keep security top-of-mind and often lead to long-term budget
5. Avoid Technical Jargon: Finally, successful CISOs craft their stories in language that business leaders understand. They frame their technical solution in how it will benefit the business. If the listener
does not understand the story because of jargon, then he or she is unlikely to retell or spread it within the organization.
The impact of these narratives also depends on the credibility of the storyteller, or how the CISO is regarded across departments and at the executive level. The report details several recommendations for improving credibility. One of the
more surprising suggestions was to embrace cuts when possible, as this indicates an understanding of and respect for the larger needs of the business. “We have no fear about killing things off,” one CISO said. “When you
save money and cut your own budget, people realize you aren’t just trying to get more.”
Winning the Battle
Somewhat surprisingly, the dichotomy between budget-constrained CISOs and those who command resources is not a matter of small and large organizations. Fortune-level companies with household names have CISOs who struggle to secure the necessary
funds. Overall, our research revealed that 38% of CISOs are undersupported within their enterprise, while 62% are either supported or highly supported. The difference in stature depends on both the culture of the enterprise and the particular
ways in which the CISO goes about the difficult task of elevating information security concerns within the company.
The good news, for undersupported CISOs, is that the situation does not have to be permanent. Our findings suggest that InfoSec leaders who learn to control the security narrative will advance their objectives, increase their stature, and
ultimately win the battle of the budget.
Here is a complimentary copy of the Winning the Battle of the Budget report and associated Infographic.