It’s that time of year when chief information security officers (CISOs) prepare their budgets for the following year. But even with all the long budget meetings and analysis, getting the budget you need is rarely easy. Communicating cyber risk to other stakeholders often falls short, as they struggle to fully internalize what the risk means in terms of financial impact. Yet by taking a data-driven approach to analyzing the frequency and severity of potential cyber attacks, CISOs can then present clear, quantifiable numbers. When boards and other stakeholders see these numbers, they may then be more receptive to providing adequate funding.
CISOs tend to find themselves in a bind. On the one hand, you’re expected to protect and ultimately create value for your business and your stakeholders. On the other hand, you’re expected to cut unnecessary budgets … but not everyone agrees on what’s necessary vs. unnecessary.
Maybe one year you convinced your CFO to provide a certain budget to make security investments. But the following year, the CFO questions why you spent so much when none of the attacks you warned about materialized. Of course, that was the point of those investments, but don’t expect all stakeholders to follow this logic.
Not only is this situation frustrating, but it puts your job at risk. If a major incident does occur, it doesn’t matter if it wasn’t your idea to cut the security budget … you’re still probably going to be the one who takes the fall.
How can you overcome these issues and get the budget you need?
Some CISOs ask for a fixed percentage of the company’s overall IT budget. Others ask for a predefined increase based on last year’s budget.
But at the end of the day, these approaches don’t tell you anything specific about the risks you face.. Especially when receiving push back from your CFO, the board or others, you want to be able to justify why you need a particular amount.
So, CISOs can solve this problem by presenting real, quantifiable numbers on the frequency and severity of your company’s risk based on data from past events. This frequency/severity information can then translate into potential losses in dollar amounts.
That specificity tends to resonate with the boards and other C-suite members more than when basing conversations around intuition, hype cycles, or using approaches like color-coding risk levels.
Remember: when it comes to securing a budget, your target audience isn’t necessarily focused on specific vulnerabilities and controls. They want to know if something bad happened, what would the financial impact be?
Once they have that number, they can focus on areas like:
By framing the conversation in this context, it’s generally easier to then come up with a relevant, sufficient budget.
Cyber risk quantification can be done by modeling the impact of an attack based on past events, similar to what’s done to quantify natural catastrophe risk. Kovrr uses both third-party data on cyber events as well as proprietary data from cyber insurers and enterprises.
Having this insurance data is particularly helpful, considering the breadth of claims they deal with.
While it’s possible to use some traditional analog methods to analyze past events and model what cyber risk means in terms of exposure, using an automated platform like Kovrr that continually feeds quantification models with new data tends to be a more efficient and effective approach. From there, you can look at bottom-up elements that apply to addressing the costs of specific areas like business alignment, training, awareness and security culture.
With budget season upon us, CISOs can’t afford to wait. The time is now to be able to financially explain the risks you face and what you can do to manage those risks. That way, you can add value by informing stakeholders about potential losses and then receive enough budget to appropriately manage your cyber risk.
To learn more about how Kovrr’s modeling technology can quickly help you put a number on your financial exposure, before getting too deep into budget conversations, get in touch today.