A recent report from Forrester called CISOs’ Tactics to Win Every Budget Battle suggests that companies turn towards “growing revenue, customer retention, and operating in specific verticals and regions” to gain security budget.
CISOs today don't just protect the company from cyber attackers. They provide assurance to customers, investors, regulators, and other critical stakeholders. So how do they get the budget they need to stay cyber resilient? The challenge only gets harder the bigger the enterprise, and the tougher the economic times. It feels instinctual to lean towards talking about risk, breaches, litigation, or reputational damage. But the “doom and gloom” approach doesn’t highlight the true value a CISO brings to their enterprise.
A recent report from Forrester called CISOs’ Tactics to Win Every Budget Battle suggests that companies turn towards “growing revenue, customer retention, and operating in specific verticals and regions” to gain security budget. In fact, Forrester highlights a methodology that demonstrates how cybersecurity spending directly impacts revenue—for the positive. Combined with BitSight’s foundation of trusted, high-quality data, CISOs have the opportunity to not only get the budget they need, but build trusted relationships with their boards & executive partners.
3 Stakeholders Who Influence Security Spending
Before justifying cybersecurity spend, a CISO must first understand the impacts of external forces on their company. Not in terms of breach risk or ransomware statistics, but in critical stakeholders, or “external forces.” Forrester names customers, cyber insurers, and regulators as the 3 key externalities to look out for, aligning closely with BitSight’s observations in the market.
1. Customers. According to a report from Gartner®, “56 percent of customers are now expressing frequent interest and concern in the cybersecurity posture of the organizations that they do business with.” Forrester concurs, stating “third parties can undermine years of work.” Many of your customers are looking for evidence that your cybersecurity program performs well, just as you should be looking at your own vendors to see how they perform. Whether a contract stipulates certain requirements or you’re being scrutinized more generally, customer expectations are high. Forrester suggests looking at commonalities in what customers require from an insurance perspective to get an understanding of revenue at risk.
2. Cyber insurers. Insurers look at how resilient a company is to withstand or quickly recover from cyber events to provide the right coverage. Insurance companies review variables like patching rates, endpoint protection, and vulnerability management to underwrite and price policies. That means that CISOs need to demonstrate the effectiveness of their programs for more favorable coverage and rates. As a starting point, Forrester recommends collecting the controls in scope from your cyber insurers to understand impacted budgets. But influencing cyber coverage goes beyond checking a box.
3. Regulators. There are major shifts in the way regulators view cybersecurity. From the SEC considering new regulations that would require expanded disclosure to the marketplace, to new U.S. legislation requiring cyber incident notification to government agencies, to the EU’s formal adoption of DORA, cybersecurity programs are under greater scrutiny from regulators and investors alike. As CISOs juggle the crossroads of regulations based on factors like vertical, geography, customer residency, and data collected, Forrester details how to inventory the legal and regulatory frameworks you must adhere to.
Start Budgets with the Right Data
The right cybersecurity strategy needs the right data to be successful. While Forrester’s report recommends the data you should mine and where to start looking for it in their report, a CISO needs to make sure they have the right foundation of data to start with. High-quality datasets not only help you respond to customers, insurers, and regulators, but they give you the right insights to plan for the future and become better defenders.
Once you have the right data, you need it in the right context to make decisions. With a trusted foundation of good data in place and the ability to intuitively glean the insights you need, that’s when a CISO can truly start to win budget battles. BitSight’s integrated solutions provide security leaders actionable insights to manage cyber risk, performance, and exposure for themselves and their third parties. We deliver the insights CISOs need to make decisions and communicate with business leaders.
To learn more about Forrester’s recommendations and how to calculate your budget, download their report CISOs’ Tactics to Win Every Budget Battle. For more information about BitSight’s solutions, contact us.