September, and Fall, signal the harvest for farmers, and for CISOs. The project seeds that were planted earlier in the year are getting implemented and showing results. This is also the time when planning starts for next year. In farming terms: what crops and seeds are needed; where do you fertilize; and which fields need rotating? For CISOs the planning and budget process often starts and stops around this year’s spending, and includes a goal of reduced IT spend. Looking behind, CISO’s see ransomware, not-Petya, and other attacks demonstrating the growing threat. Looking forward, many CISO’s see customer contracts, regulations, and audits driving increased requirements for security controls. Unsurprisingly, they ask, “How can I justify a bigger budget?” to address the growth in both threats and requirements. Often, they look left and right to their peers’ spending and ask questions to keep up with the Joneses:
- How much are other companies spending on security?
- What percent of IT spend should go to security (for my industry)?
- What are companies this size spending on security?
- How can I justify a bigger budget?
These are important questions, but they aren’t necessarily the right questions. In assessing the security programs of many companies, spending varies widely with one general pattern emerging. Historically, companies haven’t spent enough on security to be prepared for the current threat environment. In keeping up with the Joneses, many companies have fallen behind.
Today’s threat environment has evolved to be more severe than ever before. Much has been written about the impact of “not-Petya” with companies finding systems offline for weeks or months, and some systems that may never come back as they were. Data exploitation, in the form of ransomware and extortion have also increased - in cost, impact, and frequency. Through a criminal ecosystem that creates, sells, and operates services and products , today’s least sophisticated attackers are only slightly behind nation states in their ability to buy and deploy attacks. Simply put, while the threat environment has increased the number and severity of attacks, defensive spending in many companies has remained steady or decreased.
The right questions, to drive budget increases, focus on protecting the company’s business. A former CISO turned CIO recently explained why they were returning to the CISO role: CISOs are much more involved in understanding the business. Reviewing the impact of not-Petya, one company found they’d had significant losses and invested time and energy to deal with the attack as both suppliers and customers were impacted. Even though the company itself was operating unaffected! The right questions focus on how security projects, operations, and funding will be used to protect the business, business processes, and mitigate risk. Asking the right questions requires understanding how the company’s business activities drive value and how a cyber attack might impact those operations.
Today’s threats aren’t just copying information and defacing web pages. Today’s threats are destroying data (effectively destroying systems), and exposing private data to outside scrutiny. With these kinds of threats, and depending on the business, the right questions might be:
- Which suppliers are critical to day-to-day operations and revenue?
- How could we rebuild critical business systems from scratch?
- When would we detect the copying or theft of critical private information?
- What would we do to recover from the loss of a critical system?
These questions can drive funding requests for new capabilities with specific value in managing and reducing risk. Sometimes the question drives an assessment or exercise to review capabilities. The output of that assessment often provides the data to justify requests for funding and capability. Developing the answers to these questions creates a context for business support, and discussion of risk tolerance. Companies may find that they’ve accepted more risk than they knew and increase funding to reduce risk.
Companies that have been victims, and especially those with the most severe impacts, easily justify increased budgets; sometimes with more budget than the team and the program can absorb. Asking the right questions, and looking forward to protecting their company will help CISOs drive the right budget to build a program that establishes and operates business-prioritized capabilities. CISOs can drive the right budget, regardless of what the Joneses are doing.