How to ask the board and C-suite for security funding

/in


Recent guidance published by the National Association of Corporate Directors (NACD) and the Internet Security Alliance instructs board members to drive “a culture of corporate cyber responsibility” by empowering CISOs with the influence and resources they need to drive decisions where cybersecurity is effectively prioritized and not subordinated to cost, performance, and speed to market.

Although this sounds like a CISO’s dream come true, it doesn’t mean that boards will suddenly open the purse strings. Responsible to their shareholders, boards and executives will always be hyper-focused on the bottom line. Only now, with liability bearing down on them, they require accurate, risk-based funding requests qualifying the need, total cost of ownership, effectiveness, breach exposure and likelihood, and cost to the business should a breach occur.

Traditionally, CISOs haven’t communicated this information well enough to their boards, Chris Hetner, special advisor for Cyber Risk at the NACD, tells CSO. Hetner, who is also council member on the NASDAQ Center for Board Excellence, points to the July-updated SEC rules for cyber risk management implicating senior leaders in breaches. Board liability for risk is sinking in, he says, and as a result, board directors are rallying around cyber threats.

This trend definitely impacts how CISOs articulate the need for funding their security programs, Hetner continues. “As an investor, I need to know how you’re treating this risk compared to any other risk and why it matters. Juxtapose that with a CISO bringing in highly technical metrics and reports not understood by the board and you see the disconnect. You want to prepare a tailored, business-focused cyber risk report, ideally on a quarterly basis, that converts technical metrics into understandable, business-aligned metrics. Then, you’ll get your funding.”

Don’t go it alone when asking for cybersecurity funding

When it comes to funding requests, CISOs shouldn’t operate in a vacuum. Hetner suggests seeking allies on the board and executive team, including the CFO, and CEO. These people can help CISOs understand the business risk to frame their funding requests around…

Source…