The best tactics for board and budget buy-in.
Businesses should focus on ‘simplify than AI’ when it comes to gaining and showing a good ROI on budget.
In a panel discussion at Infosecurity Europe in London, moderator and BBC cyber correspondent Joe Tidy asked if there is a ‘rush to spend’ budget in light of other incidents. Mun Vasiiji, CISO at Close Brother said those incidents can ‘grease the wheels’ in terms of appetite from businesses, while Madelein van der Hout, senior analyst at Forrester, asked for a show of hands on how many audience members had seen an increase in budget - with the majority raising hands.
“These are volatile times and these are usually related to an incident or breach,” she said.
Jon Davies, director of cyber at KPMG, said it is important to have a spending strategy, as that can help ensure sustainable growth, understand ROI, “and get the next shiny tool.”
Panic Buy
Asked by Tidy if there is ever any panic buying, or if “all security is good security?”, Vasiiji said businesses have “different levels to push and pull to provide assurance to the board” on what is going on in the outside world. “”You need a balance of relative catastrophe but realism.”
Davies said part of the CISO’s role is to “understand where you are as a CISO” as cyber hygiene is not easy to do, as you’re dealing with legacy estates and out of date systems. “So it is about vulnerability management, but not in isolation,” he said, as you need to step back and work with IT and who is responsible for patching and come together collectively.
On the point on AI, Vasiiji said this needs to be part of your 3-5 year strategy and how you can achieve this organically through relationships, “as not everyone is ready to enable.”
Van der Hout also encouraged talking to the board on where you want support, and agreed that this comes down to visibility.
Asked by Tidy if money can be pre-allocated to different areas, Davies cited the example of doing incident response, and the cost associated to working with an external partner.
Vasiiji said you can try and do practises for crisis scenarios, but these “takes months of planning” particularly when you need to take a day from a senior leader.
Keep Language Simple
Vasiiji said getting board and budget buy-in is about “language and communicating” as if you can keep language simple, and focus on confidentiality, integrity and assurance and what is the risk to board. “Keep it simple,” he said.
Van der Hout also said as a CISO, choose which products and tools align with your risks and show what it does, and not just be “the next shiny thing.”
In a final audience question, the panel were asked if budget is not available, how can you inform the board that you cannot keep them secure? Vasiiji said 100 percent security can never be assured, but “do what you can to protect and defend” and have more conversation on generating revenue.
“Call it ROI or brand protection when it comes to investment and support,” he said. “Understand what the threat landscape is and spend as little time as possible on boiling the ocean and focus on risk and more on the resources you do have.”
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
