By Phil Gardner
When we started work on our Winning the Battle of the Budget report, the goal was to answer a question that has vexed many CISOs:
Why do some CISOs consistently command the budget and resources they need while others struggle?
Rather than just answer the question, we set out to craft a roadmap that embattled CISOs could follow to rise from the bottom of the barrel.
We started by surveying information security leaders from organizations with annual revenues greater than $500 million and chronicled their setbacks and successes. In the process, a set of best practices emerged.
Well-Supported vs. Under-Supported
Two camps of CISOs emerged during the study – the well-supported and under-supported. The difference between the two had little to do with company size or industry and plenty to do with an organization’s culture and CISO selection process.
Nearly 80 percent of respondents reported overall budget growth from 2016 to 2017, and 78 percent expected growth in their budgets from 2017 to 2018. But the growth curve is flattening. From 2016 to 2017, nearly 48 percent of respondents increased their budget by more than 5 percent. From 2017 to 2018, that number drops to 36 percent.
The most under-supported revealed that they:
- Suffer from a lack of corporate support.
- Rely more on technical explanations than on business justifications for budget requests.
- Are forced to fit spending into larger budgets like IT and their discretionary spending is tightly controlled.
- Are still in the early stages of risk prioritization and their metrics reporting lacks depth and context. Meanwhile, corporate reporting lines keep these under-supported CISOs several steps removed from the organization’s most influential leaders.
These two groups differ considerably on these four key budget battlefronts:
- BATTLEFRONT 1: How CISOs foster influence and credibility in their organizations. The under-supported struggle to build credibility, trust and influence.
- BATTLEFRONT 2: Who controls the budget for information security. The under-supported have less control of their budgets.
- BATTLEFRONT 3: How high up the org chart CISOs must reach to get budget approval. The under-supported must reach higher for budget approval.
- BATTLEFRONT 4: Tactics for gaining approval for new project spending. The under-supported must work harder for new project increases.
Owning the Narrative
One of the biggest lessons of the research is that CISOs must own the security narrative within their organization. Successful CISOs have learned five lessons:
- Stories Beat Metrics. Although metrics can be powerful tools, several CISOs argued that when it comes to securing a budget, it’s more important to deliver cogent stories.
- Craft Long-arc & Short-arc Stories. CISOs who have mastered the art of driving the narrative tend to develop two classes of security stories. One type tells a multi-year story of integrating InfoSec into the fabric of the company. This long-arc narrative understands the business and articulates how InfoSec powers growth and profitability. The short-arc stories detail particular investments and how they improve risk posture.
- Build Internal Channels & Alliances. Stories need audiences. When successful CISOs don’t have access to the key decision makers, they build and maintain informal channels and alliances to spread their message and advocate spending goals.
- Informal Conversations Count. Successful CISO don't miss opportunities to communicate the value of InfoSec. They insist that even water-cooler chats can make a difference. One CISO started talking informally about IoT risks long before it was an actual threat. Another said that he makes a point to invite the CFO to meetings and tabletops whenever possible. These small, casual efforts keep security top-of-mind and often lead to long-term budget support.
- Avoid Technical Jargon. Finally, successful CISOs craft their stories in language that business leaders understand. They frame their technical solution in how it will benefit the business. If the listener does not understand the story because of jargon, then he or she is unlikely to retell or spread it within the organization.
Along the way, we found that under-supported CISOs spend 30% of their time on the business aspect and 70% on the technical. It should be 60% business and 40% technology.
By learning to own the narrative, CISOs will find themselves sitting atop an increasingly bigger pile of money and manpower with which to protect their companies – and customers.
About Phil Gardner
Phil Gardner is Founder and CEO of IANS. Having built IANS’ end user research offering, Phil Gardner now oversees all strategic and operational decisions at IANS. He began his career in security with seven years with the U.S. Navy as a Strike Fighter Pilot & Ordnance Requirements Officer.