CISO Perspectives: Cybersecurity Budgeting Edition

It’s time to tackle the elephant in the room. The often awkward and uncomfortable conversation every CISO must hold with their board and executive teammates around this time of year. That’s right – we’re talking cybersecurity budget and metrics. 

‘Tis the season for planning your cybersecurity activities. With rising threats and increasing breach-related financial repercussions, it’s likely many of us will need to communicate the need for additional dollars and resources. And this is no easy feat. 

We won’t pretend that we’re the experts on cybersecurity budgets, though, we do know a thing or two about optimizing your penetration testing budget and the factors that influence the cost of a penetration test. So, we tapped the experts for advice during recent episodes of the Agent of Influence podcast. 

Podcast host and NetSPI Managing Director Nabil Hannan asked three experienced CISOs — Cecil Pineda (R1 RCM), Rob LaMagna-Reiter (Hudl), and Samir Sherif (Imperva) — for tips on measuring security ROI and how to communicate budgeting needs. Here is what they had to say. 

What metrics are effective when presenting your cybersecurity budget needs to the board or C-Suite? 

Cecil Pineda, SVP/CISO at R1 RCM: Today, we’re seeing a lot of usable metrics. Some organizations like to look at the negatives. You could highlight all the incidents that you’ve experienced, how many risks you have in a risk register, how many non-compliant items are in your compliance programs, and how many risks are critical, medium, or low. 

For many years, I felt fear, uncertainty, and doubt. This can be useful, but it doesn’t always help me communicate my needs. My leadership team was in on our security program, asking where our competitors are at. How does our program benchmark against others in our industry? Where do we want our scores to be? 

Maturity metrics, particularly the NIST Cyber Security Framework (CSF) metrics and the Capability Maturity Model Integration (CMMI) framework, have helped me measure my program. For example, in the healthcare industry, the average CSF score is about 2.8 or 2.9. If you start your program at 2.3, you have to think about how do I get to 2.8? Though, ideally, you want to target higher than 2.8 so that you’re aiming above the industry average.  

Then, identify all the opportunities to get there. It could be people, it could be processes, or it could be technologies. These are the things that we need to improve.  

Samir Sherif, CISO at Imperva: My focus has always been less about specific data points. If you’re running one program, it’s less about getting numbers off that program to show value. For example, if it’s a vulnerability management program, it’s not just about reducing vulnerabilities. 

How is security making a difference in generating more revenue for the business? How is that adding value to improve customer communications or reduce risks for the organization? That’s what they really care about and look for.  

At the end of the day, we are risk leaders. That’s all we are. But we have to have the same kinds of conversation as the IT and engineering leads might around providing value and building efficiency over time.  

So, the metrics I’ve leveraged is a combination of showing risk data, but also resiliency data. It’s a combination of how my capabilities, programs, and the leaders that work for me, are delivering to help move the needle and enable the business to move faster and grow. And that’s what really resonates with senior leaders and the board. Ultimately, you end up getting more budget to build upon that. 

Rob LaMagna-Reiter, CISO at Hudl: I’ve searched and searched, and to date, I’ve not found a single, consistent, reliable metric that can make the case for more budget or showcase ROI.  

With that said, there are several areas that you can consider. First off, everything is personalized. But I’ll try to provide some examples of tactics I’ve used in the past that start very generally, and over time, you can tweak those to your specific business.  

Let’s say you’re starting out and you’re convinced that you’re seeing an underinvestment in information security. There are plenty of benchmarks out there, everything from the security dollar spent per full-time employee, security budget as a percentage of the IT budget, security budget as a percentage of revenue, and so forth.  

You can use those low, moderate, or high averages as benchmarks to showcase where you fall along that path. There’s also something called the “cybersecurity poverty line” that was illustrated many years ago. It showcases organizational revenue and resources and helps illustrate where along that line organizations possibly are investing versus where they shouldn’t be investing.  

You can also use business drivers, such as acquisitions. You can formulate a weighted average cost per IT asset required for security. Then, as the business grows, security is already an assumed cost of doing business. Most importantly, I found that it always needs to be aligned with that business growth in the strategic objective. 

These are a few ways to get started. As you’re working through your program, it is important to understand what business leaders care about. Have you enabled my availability and uptime? Have you shown improvement year over year? There are always parts of the business that are growing faster than the overall weighted average of either revenue or top line growth. You need to be increasingly aware of the scope of those situations and how it impacts security. 

Remember, it’s not that the board and leadership team doesn’t want to spend on security, they just want to know that the resources and the budget will enable the growth in business resiliency.  

Many of the examples I’ve shared have dollar value components, but it requires a lot of analysis and partnership with business units to get to an agreed-upon state so we can showcase both budget asks that are rooted in reality, as well as ROI. I wish there was an easy figure or benchmark I can provide you, but everything is very personal to your business.  

It requires a solid relationship with not just your CFO leadership team but across all of your peers and board to make sure that we’re all on this journey together. We’re not going to get everything we want every single year. But if we’re making incremental and iterative improvements in the right direction, you’ve done your job as a security leader. 

Beyond metrics and objective data, are there other tactics that work well for you when communicating your cybersecurity budgeting needs? 

Cecil Pineda: There are many ways to communicate without data. I’ve learned this from many great CISOs before me. One of the most effective tools in our arsenal is storytelling. You can tell a really good story, but you have to align it to your leaders.  

Today, a lot of our board of directors and senior leadership are tech savvy. We see it in the news. They know all the risks and threats and all these security controls that are at our disposal. Having a good story to tell that includes here’s where we are and here are some of our challenges is important.  

There are so many things that can’t make it into a slide deck. When I’m presenting, I always try to make sure that I tell the story behind those metrics. Those stories are very powerful. When I was a first-time CISO, I’ll be honest with you, I didn’t know how to tell a story. I was just relying on data always. But it wasn’t enough. 

As I went on to different companies and different roles, I’ve learned how to craft a strong story. I recently learned that my CIO is actually a former CISO and an academic. I listen to him and I watch him. I’m still amazed how he can tell a really good story and be able to drive people together and gain support with stories. 

Samir Sherif: Before you even build any ROI models or metrics, make friends with your CFO and CFO teams. At the end of the day, they’re the ones who are going to help you keep the lights on and also make sure that you’re budgeting and spending appropriately. 

Being at the table and not thinking that cybersecurity is a priority everybody needs to worry about is concerning. Just like an athlete needs to worry about their health, cyber professionals need to worry about the health of their organization. But there’s also performance demand, right? 

Being a part of a team that can have a good conversation around what’s the greater objective and strategy is key. Helping influence that strategy is important to be successful in the field that we’re in. 

Rob LaMagna-Reiter: I like to take real business workflows or issues in the organization and help paint a picture and showcase what operations would be like if my ask, or if an above-average project, is approved.  

It’s about connecting those crown jewels in the business to something that leadership knows is tangible. They want to be able to see the benefits and efficiencies. You have to remember, at the end of the day, nobody cares about cybersecurity or information security as much as we do. They do care, but it’s not their day-to-day as it is ours.  

It’s about storytelling versus fear-mongering. Over coffee or lunch, get to know your leadership team’s motivations. And don’t always assume the worst case scenario. Always approach them with empathy. 

Showcase cybersecurity against peers within our verticals or organizations of other similar sizes. Tie it to the business initiatives and showcase why it is necessary and clearly state what your recommendations are.  

Something that I’ve learned over time is you never want to leave with only one recommendation. You always want to offer leadership with, at minimum, two options. One is obviously going to be your preferred path. But leadership will want to see that you’ve thought through some of the ramifications. Get creative. There are always going to be trade-offs. Leadership will appreciate the time and effort and will take your recommendation to heart and open it up for discussion. Tunnel vision can sometimes lead to less budget getting approved. 

Listen to the full episodes of the Agent of Influence podcast online, or wherever you listen to podcasts: 

This post is part of a series on cybersecurity budgeting. Check out these additional resources:  

Discover how the NetSPI BAS solution helps organizations validate the efficacy of existing security controls and understand their Security Posture and Readiness.