How to
Ryan Berg
Nov 2015

How to Get Executive Buy-in for Your Security Budget: 3 Key Tips

Photo by OTA Photos

Editor's note: A version of this post originally appeared on ITProPortal as "Three Mistakes that Will Sink Your IT Security Budget". 

Being the “resident security expert” in my family makes me painfully aware of the increasingly frequent data breaches that are continuing to make the headlines (not to mention the fact that my credit card has been replaced four times this year). Each new report provides a flood of “did you see hear/read/see this?” messages in my inbox, usually accompanied by a plea that what I am working on will help in some shape or fashion.

When it comes to security, the overwhelming consensus is that we all need to be doing more. Of course, if you’re sitting down to discuss your company’s IT security budget, you’re going to need to get a little more specific than that.

 

3 Keys to Getting Executive Buy-in for Security

Determining the right cybersecurity budget can be a challenge, especially for companies that are looking into security seriously for the first time and are unsure where to start (if that sounds like you, there may be other getting started questions you need to deal with first). While one approach is to look to industry benchmarks — averages by vertical, percentage of overall IT spending, etc. — the truth is there is no universal right answer to determining your security budget.

You’ll need to identify the top needs for your company, specifically, as well as establish your tolerance for risk. The sooner you get key stakeholders involved in that discussion, the better. Here are three tips to help you make sure that conversation is actually productive and leads to real buy-in.

1) Agree on your needs & goals first

Before you even think about asking for money you need to sit down with key stakeholders and come to an agreement on why security is a necessary investment for your organization in the first place. There needs to be a clear understanding of what the priorities are and how they relate back to your primary business goals. Think of it as finding your north star.

With that in mind, the secret to a productive “buy-in” conversation is to start out not with how the business can improve its security, but how security can improve the business. To get to that, here are three simple questions to help you drill down into what better security will enable you to achieve and/or avoid:

  • Why do we need better security?
  • What are we trying to secure?
  • What will happen if we don’t get this right?
Pro Tip: Your leadership team doesn’t have to understand how security works, but they do need to understand why you’re doing what you’re doing, and be on board with what you’re ultimately trying to achieve.


2) Establish a dedicated budget

Unless you’re actively dealing with a cyber attack or a data breach, security spending often isn't something leadership will be falling over themselves to discuss. Many think of it the same way as investing in insurance — increasing your spending doesn’t inherently make you safer, it simply reduces your risk and helps you prepare for if and when things go wrong.

As a result, investment in security is too often an afterthought. It's either put off or it's money that gets assigned after everyone else has grabbed their piece of the pie.

To avoid getting caught in a reactive situation you need to establish that security is a budgetary item that requires dedicated dollars assigned to it. It shouldn’t be money that’s coming from another department or that can be reassigned. In that sense, securing buy-in means getting a commitment from leadership that security is important to the business, it has a purpose, and it needs funding.

3) Don't worry about what everyone else is doing

Just because a competitor has a security information and event management (SIEM) solution doesn’t necessarily mean you need to have one, and just because they spend 15% of their total IT budget on security and you can only spend 10% doesn’t mean they're inherently more secure.

Pro tip: Don’t waste your money and political capital trying to keep up with the Joneses. Spending isn’t what makes you secure.

There’s a big difference between using competitor research and industry benchmarks to inform your decisions and allowing those things to make your decisions for you.

The point isn’t to find a killer game plan to steal. You’ll still need to develop a custom blueprint that addresses your own unique needs. That said, getting a sense of what constitutes good, better, and best practices for other companies may help you determine where you’re strong, where you’re weak, where it’s okay for you to be weak, and where you need to invest. 

An additional resource for companies not sure where to begin is to look at the Building Security in Maturity Model (BSIMM) from Cigital. While it won’t provide specific answers for determining what’s right for you, it does offer a glimpse into what other companies of various sizes and growth stages in your industry are doing, which is good context to have.

Looking for more tips on how to make a strong business case for security? Download our guide:

social-executivebudget

It's full of tips that can help IT pros present the need for additional security in business terms. Inside you'll find:

  • Relevant statistics that explain why investing in security is the right business decision to make
  • Real-world attack examples to help bring those stats closer to home
  • An interactive calculator to help organizations put a dollar amount on their current risk
  • A list of questions IT and security pros should be ready to answer from executives
  • Sample slides to help build and deliver a successful presentation to stakeholders

Download the guide here.

Ryan Berg

Ryan Berg

Ryan is Chief Scientist at Barkly. He holds multiple patents and is a popular speaker, instructor, and author in the fields of security, risk management, and secure application development.

lock-white.png

Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.