Tip 2: Go beyond compliance standards: It’s no secret that compliance and regulations drive nearly 80% of CISOs’ budget justifications. Industry standards like HIPAA and SOC2 can offer a guiding framework for a program, but with evolving threats from AI, the rise of quantum computing and increasingly complex third-party risk, CISOs need to think of the threats that compliance doesn’t necessarily mitigate.If you can, aim for 10% or more of your budget to be allocated to non-compliance risks for a 3-5-year horizon. These double-digit percentages are aspirational; the average CISO has a 3% discretionary budget. This budget does not have to be all net-new spend. For example, generative AI risks are top of mind for CISOs and boards, but dedicated, off-the-shelf tooling is in its very early stages. Existing budget line items, such as Data Security Posture Management, SASE and GRC analyst hours, can decrease risk from threats to generative AI workloads and tooling. Increased investment in these technologies and processes, alongside new ones, builds a solid foundation for your company to efficiently leverage Generative AI on a medium-term horizon and limit net new spending on point solutions. These investments lay the groundwork for your company to scale securely ahead of your competitors, rather than jumping into AI FOMO.Your board wants to know that you are thinking about the emerging risks and how to address them in your budget proactively. You may not have all of the data on a given risk, but you should still acknowledge it and help the board understand the likelihood of it impacting your organization. As the threat landscape evolves, so should your strategies for making your organization resilient to those risks.
Tip 3: Know thy board: Part of winning over your board has to do with knowing what kind of persuasion tactics drive their decision-making. Boards are getting smarter on cybersecurity; a recent NACD survey found that nearly 80% of boards’ cybersecurity knowledge has improved. Another survey found 85% of companies reported that they either have or are looking for a board member with cybersecurity expertise. Now that boards have a better awareness of the importance of cybersecurity, it’s your turn to meet them halfway and understand what they value from a business perspective.Some boards are laser-focused on financial metrics and will only look at the dollars and cents of the budget. In that case, it’s essential to communicate in financial terms; they’ll want concrete examples of what the organization stands to lose from the cost of breach-related business interruption. This quantification does more than just justify your budget; it creates a bridge between your security team and business imperatives. Other boards may be more motivated by storytelling. In that case, painting a step-by-step picture of what an attack could look like and the corresponding impacts that go along with it will be most compelling.In both instances, the budget and conversation defending it should speak the same language as your specific board. Importantly, that level of insight into what the board values can only come from consistent check-ins throughout the year. You should strive to build a relationship, so you aren’t simply a checkbox for the board come budgeting season.CISOs should bring rigor, clarity and business alignment to security investment decisions. If you can quantify the risks for your board, accounting for emerging risks and understand what they value the most, you’ll better your odds to win over your board this fall.This article is published as part of the Foundry Expert Contributor Network.Want to join?
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4093058/3-ways-cisos-can-win-over-their-boards-this-budget-season.html
