Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Why do some CISOs consistently command the budget and resources they need while others struggle? What can budget-constrained CISOs do to garner the support they need for their information security programs?
To answer these questions, we gathered insights from 85 information security leaders representing organizations with annual revenues greater than $500 million. The resulting research report, Winning the Battle of the InfoSec Budget, reveals a
number of information security budget-related best practices for CISOs.
One of the main themes that emerged was the importance of owning the security narrative within the organization. Here’s what we learned from successful CISOs about how to help secure the InfoSec budget and resources for your security program:
1. Stories Beat Metrics: Although metrics can be powerful tools, several CISOs argued that when it comes to securing a budget, it’s more important to deliver cogent stories. “Metrics don’t matter,”
one CISO told us. “Narrative matters. I think metrics are useful when they don’t have any other way to evaluate you, but if you can create the right narrative, I think metrics mean very little.”
2. Craft Long-arc & Short-arc Stories: CISOs who have mastered the art of driving the narrative tend to develop two classes of security stories. One type tells a multi-year story of integrating InfoSec into the fabric
of the company. This long-arc narrative understands the business and articulates how InfoSec powers growth and profitability. The short-arc stories detail particular investments and how they improve risk posture. Importantly, these two classes
of security stories are coherent and fit well together.
3. Build Internal Channels & Alliances: Stories need audiences. When successful CISOs don’t have access to the key decision makers, they build and maintain informal channels and alliances to spread their message
and advocate spending goals. One CISO explained: “I’m talking to peers or people lower in the organization to get things bubbled up in that executive’s area of responsibility. If I can get people on the executive’s team talking,
it makes it a little more real for them.”
4. Informal Conversations Count: Successful CISOs don't miss opportunities to communicate the value of InfoSec. They insist that even water-cooler chats can make a difference. One CISO started talking informally about
IoT risks long before it was an actual threat. Another said that he makes a point to invite the CFO to meetings and tabletops whenever possible. These small, casual efforts keep security top-of-mind and often lead to long-term budget support.
5. Avoid Technical Jargon: Finally, successful CISOs craft their stories in language that business leaders understand. They frame their technical solution in how it will benefit the business. If the listener does
not understand the story because of jargon, then he or she is unlikely to retell or spread it within the organization.
The impact of these narratives also depends on the credibility of the storyteller, or how the CISO is regarded across departments and at the executive level. The report details several recommendations for improving credibility. One of the more surprising
suggestions was to embrace cuts when possible, as this indicates an understanding of and respect for the larger needs of the business. “We have no fear about killing things off,” one CISO said. “When you save money and cut your own
budget, people realize you aren’t just trying to get more.”
Somewhat surprisingly, the dichotomy between budget-constrained CISOs and those who command InfoSec resources is not a matter of small and large organizations. Fortune-level companies with household names have CISOs who struggle to secure the necessary
funds. Overall, our research revealed that 38% of CISOs are undersupported within their enterprise, while 62% are either supported or highly supported. The difference in stature depends on both the culture of the enterprise and the particular ways
in which the CISO goes about the difficult task of elevating information security concerns within the company.
The good news, for undersupported CISOs, is that the situation does not have to be permanent. Our findings suggest that InfoSec leaders who learn to control the security narrative will advance their objectives, increase their stature, and ultimately win
the battle of the InfoSec budget.
Learn more about our research study, Winning the Battle of the InfoSec Budget.
December 15, 2021
By Phil Gardner
Learn more about how IANS is helping aspiring security leaders and CISOs navigate the current digital transformation with our research-based Executive Competencies program.
November 13, 2019
CISOs need to observe, understand and act with regard to protecting consumer privacy and regulations associated with the downside of new technologies, including facial recognition, machine learning and AI.
April 4, 2018
Why do some CISOs consistently command the budget and resources they need while others struggle? What can budget-constrained CISOs do to garner the support they need for their programs? Find answers in our 'Battle of the InfoSec Budget' research report.