We need more budget to scare you
Yaron Levi
CISO at Dolby | 2x CISO | Security Tinkerer | Board Member | Boardroom Certified Qualified Technology Expert (QTE) | Venture Advisor | CSA Research Fellow
Once upon a time in a company far far away
Several years ago, in a different organization, my team and I successfully implemented a Vulnerability Management program. It was a massive undertaking, taking over a year to complete and sizable budget. Our goal was to continuously scan over 100,000 devices and automate the reporting of findings to relevant teams. The project went beyond reporting by actively collaborating with teams across the organization to address and remediate vulnerabilities.
Naturally, management was keen to understand the results. This project was a significant investment, driven by the need to enhance our security posture, meet compliance requirements, and manage the increased workload on IT and engineering teams. As expected, we identified numerous vulnerabilities in such a large environment and established a process for remediation.
The following year, I requested a budget to acquire a tool for scanning application vulnerabilities. This seemed like a logical step given our software development activities. To my astonishment, the COO responded with, “Last year we gave you budget to buy a tool that told us how bad we are, now you want to buy another tool to tell us how much worse we are?”
I wasn't expecting that, and I wasn't happy to say the least.
Back to the drawing board…
Reflections and lessons learned
Clearly, I hadn’t effectively communicated the tool’s value to the COO. He was a smart guy but my initial request framed the investment as “We need more budget to buy things to tell you about more things you should worry about”. Ironically, this is a common tactic used by security vendors, who often emphasize “visibility” while conveniently overlooking the increased workload.
领英推荐
I firmly believe in proactive security measures, and it’s essential to clearly communicate the benefits and risks. Whether you’re a vendor pitching to a CISO or a CISO seeking budget approval, consider the following:
Is the investment needed to Grow the Business, Optimize Cost, or Reduce Risk?
Here are few examples:
While there are numerous factors to consider, framing the investment in terms of business value is more effective than relying on “best practices” or “compliance mandates” especially when communicating with non-security stakeholders. Security is a risk, like any other business risk. Aligning your request with the organization’s goals will improve the chances of securing necessary funding.
I’m curious about your experiences. What strategies have you found successful for justifying security investments?
This post is also available on my blog Sageinsights.io
Global Chief Marketing, Digital & AI Officer, Exec BOD Member, Investor, Futurist | Growth, AI Identity Security | Top 100 CMO Forbes, Top 50 CXO, Top 10 CMO | Consulting Producer Netflix | Speaker | #CMO #AI #CMAIO
4 个月Yaron, thanks for sharing! How are you doing?
One of the things I’ve focused on is ensuring that each of my managers develops a realtime view of the cost of providing each of their service lines. As you sagely note, security risk is business risk, and too many CISOs don’t work hard enough to speak the language of the business. Can we do without increased budget or headcount? Sure! But that means we have to make decisions about what we are going to stop doing, protecting against older risks to prioritize emerging ones, etc. These are all business decisions.
CEO & Co-founder at Kovrr | Cyber Risk Quantification
6 个月Great-write up! How about highlighting the direct financial ROI of a security control upgrade or the implementation of a new solution (in terms of the reduction in financial exposure it results in)? This misconception of cyber as a resource drain persists largely because of the communication gap you discussed, but monetary insights are a common business language that all executives understand. These stakeholders simply want to know - in tangible terms - how the cyber initiatives drive growth, just as they would want to know regarding any other departmental initiative.
When I was a risk leader at a large credit company, the FUD selling was rampant. Yet, there is a different way to consider. Results-based budget. Meaning, what do we want to see happen, what do we need to see based on the market threats that are evolving. The idea is to act with a plan that is risk-based, and not fear based. We know we can’t get budget for everything we wish… however, we can have a risk-based argument and decision making process with the board. This way, without playing the blame game, we all know and see what we said no to. #budgetseason
Cybersecurity and Data Privacy Leader| Enterprise AI Expert | Advisor| CISO
6 个月I agree with Drew Simonis. It’s a little late for 2025. May be a better question for 2026! As a CISO it’s advisable to have a 2-3 year plan with budget allocations for business enablement, compliance and risk reduction, and communicated to the leadership and the board.