How to Make a Successful Case for Cybersecurity Funding

With cyberattacks on the rise, security investments are more important than ever. Still, the pandemic has forced many organizations to reconsider how they allocate their IT dollars. Between the new work-from-home paradigm and the increasingly global nature of many modern workplaces, CIOs have had to accelerate investments in cloud solutions and remote technology.

But as a security leader, you need to find ways to secure your share of these dollars so that you can support this new normal and protect your organization’s rapidly expanding digital ecosystem.

To be successful, you must demonstrate how cybersecurity funding can support today’s business goals and have data-driven conversations with executives and board members that bridge the gap between your organization’s business and security interests.

Let’s look at four ways you can do that.

1. Prioritize spending to high-risk areas

If you observe how the different functional heads of your organization determine their budgets, you’ll see that they typically invest in areas where the greatest need exists. For example, to grow the business, your CMO may prioritize lead generation. Meanwhile, the organization’s chief legal officer might invest in automation tools that free legal teams from repetitive, time-consuming tasks.

Prioritizing security spending should be no different. It’s critical that you focus security resources where they are needed most. But that’s no easy task. As the number of digital touchpoints employees interact with on a day-to-day basis grows, so does the attack surface. This puts tremendous pressure on you because it’s hard to get a handle on the risk hidden across digital assets on-premises, in the cloud, and across geographies, subsidiaries, and a remote workforce. After all, you can’t secure what you can’t see.  

Consider the high-profile Capital One data breach. The hack occurred when a bad actor exploited a misconfigured web firewall in the bank’s Amazon Web Service (AWS) cloud service. Unfortunately, misconfigurations like these are commonplace, but they are invisible to your security team and put your organization at risk.

That’s why Bitsight developed Attack Surface Analytics.

With Attack Surface Analytics, you can achieve unprecedented visibility into the location of your organization’s digital assets – on-premises, in the cloud, by geography and business unit, even across remote environments – and the corresponding cyber risk associated with each.

Uniquely, Attack Surface Analytics also allows you to visualize areas of high or disproportionate risk. With this insight, you can identify where cyber risk reduction programs are most needed and make a compelling case for those investments. Then, through continuous analysis, you can show the impact of increased cybersecurity funding on security performance.

2. Justify cybersecurity funding with risk-based metrics

Too often, security professionals provide senior leadership with metrics that don’t correlate with business outcomes. For instance, executives and board members may not know what it means if you present them with a report that states: “The SIEM captured data about 12,000 antivirus events and 400 failed logins in the past quarter.” Instead, it’s more effective to say: “Last quarter, our security program successfully blocked thousands of viruses and unauthorized logins that would have resulted in significant business disruption and data loss.”

By sharing metrics that directly relate to positive or negative outcomes, you can report on cyber risk in a language that makes sense to non-technical stakeholders and the board and better drive strategic conversations about cybersecurity investments and ROI.

Of course, some data points are more important than others. Metrics that correlate to the risk of data breaches, like security ratings, are especially effective. With security ratings, you can assess the likelihood of a data breach based on common risk factors such as open ports, misconfigured software, malware infections, exposed credentials, and weak security controls.

3. Financially quantify cyber risk

To further strengthen the case for cybersecurity funding, you can also layer in additional data with cyber risk quantification which can quantify risk in financial terms.

With Bitsight Financial Quantification, for instance, you can simulate your company’s financial exposure if it were the victim of ransomware, a denial of service attack, a supply chain attack, and more.

In this way, you can translate the technical side of cybersecurity into terms that executives and board members understand – further supporting your justification for cybersecurity funding. As you invest in the right security controls, you can also show how that exposure lessens over time.

4. Benchmark security performance against your peers

Another way to advocate for more resources is to understand the standards of care that similar organizations maintain. By benchmarking security performance in the context of industry peers, you can better determine the security targets your company should strive for and where its current security program falls short. From there, you can create informed improvement plans, advocate for increased cybersecurity funding, and regularly report on how your program aligns to or exceeds industry security benchmarks.

The bottom line

By prioritizing spending to the highest-risk areas, justifying funding with risk-based cybersecurity metrics, and benchmarking your organization’s performance against its competitors, you can explain the value of continued cybersecurity funding and ensure that digital transformation initiatives are protected and secure.