Why do some CISOs consistently command the budget and resources they need while others struggle? What can budget-constrained CISOs do to garner the support they need for their information security programs?
To answer these questions, we gathered insights from 85 information security leaders representing organizations with annual revenues greater than $500 million. The resulting research report, Winning the Battle of the InfoSec Budget, reveals a
number of information security budget-related best practices for CISOs.
How to Secure Your InfoSec Budget
One of the main themes that emerged was the importance of owning the security narrative within the organization. Here’s what we learned from successful CISOs about how to help secure the InfoSec budget and resources for your security program:
1. Stories Beat Metrics: Although metrics can be powerful tools, several CISOs argued that when it comes to securing a budget, it’s more important to deliver cogent stories. “Metrics don’t matter,”
one CISO told us. “Narrative matters. I think metrics are useful when they don’t have any other way to evaluate you, but if you can create the right narrative, I think metrics mean very little.”
2. Craft Long-arc & Short-arc Stories: CISOs who have mastered the art of driving the narrative tend to develop two classes of security stories. One type tells a multi-year story of integrating InfoSec into the fabric
of the company. This long-arc narrative understands the business and articulates how InfoSec powers growth and profitability. The short-arc stories detail particular investments and how they improve risk posture. Importantly, these two classes
of security stories are coherent and fit well together.
3. Build Internal Channels & Alliances: Stories need audiences. When successful CISOs don’t have access to the key decision makers, they build and maintain informal channels and alliances to spread their message
and advocate spending goals. One CISO explained: “I’m talking to peers or people lower in the organization to get things bubbled up in that executive’s area of responsibility. If I can get people on the executive’s team talking,
it makes it a little more real for them.”
4. Informal Conversations Count: Successful CISOs don't miss opportunities to communicate the value of InfoSec. They insist that even water-cooler chats can make a difference. One CISO started talking informally about
IoT risks long before it was an actual threat. Another said that he makes a point to invite the CFO to meetings and tabletops whenever possible. These small, casual efforts keep security top-of-mind and often lead to long-term budget support.
5. Avoid Technical Jargon: Finally, successful CISOs craft their stories in language that business leaders understand. They frame their technical solution in how it will benefit the business. If the listener does
not understand the story because of jargon, then he or she is unlikely to retell or spread it within the organization.
CISO Credibility
The impact of these narratives also depends on the credibility of the storyteller, or how the CISO is regarded across departments and at the executive level. The report details several recommendations for improving credibility. One of the more surprising
suggestions was to embrace cuts when possible, as this indicates an understanding of and respect for the larger needs of the business. “We have no fear about killing things off,” one CISO said. “When you save money and cut your own
budget, people realize you aren’t just trying to get more.”
Winning the Battle of the InfoSec Budget
Somewhat surprisingly, the dichotomy between budget-constrained CISOs and those who command InfoSec resources is not a matter of small and large organizations. Fortune-level companies with household names have CISOs who struggle to secure the necessary
funds. Overall, our research revealed that 38% of CISOs are undersupported within their enterprise, while 62% are either supported or highly supported. The difference in stature depends on both the culture of the enterprise and the particular ways
in which the CISO goes about the difficult task of elevating information security concerns within the company.
The good news, for undersupported CISOs, is that the situation does not have to be permanent. Our findings suggest that InfoSec leaders who learn to control the security narrative will advance their objectives, increase their stature, and ultimately win
the battle of the InfoSec budget.
Learn more about our research study, Winning the Battle of the InfoSec Budget.