When you set up a conquest strategy, you design your budget to fit with the objectives, not the way around. Yet, the current line-item strategy of CFO demands the winning cybersecurity strategy to match a predetermined budget.
Budget is a tool to achieve objectives, not the contrary.
A company leadership must evaluates what is needed to be protected. If one of your Crown Jewels is at risk, if your new digital marketing campaign as not been evaluated, it is your priority to design the counter-measure plan and then evaluate the appropriate budget to meet your strategic requirement.
Companies don’t have infinite budget line. It is then even more important to carefully put your money where it has the most impact. Understand your business environment, assess your Threat Landscape and plan your risk mitigation strategy where is has the most impact.
Prepare the mindset before the budget.
Every Business Holder know that when you throw money to unprepared project, it can’t end up other than a failure. Before allocating money to a cyber risk management line, senior management must assure than all stakeholder understand and support the current strategy and priority.
The cybersecurity mindset alignment require to identify the key stakeholders across the business lines. Finances, IT, HR, Sales. Infuse the mindset into your chain of management, gather cybersecurity champion that will support the strategy and finally design the necessary budget.
Develop a Benchmarking Approach to Cybersecurity Budget
Cyber Risk and Cybersecurity Governance are mastering the use of Framework. Will it be NIST Cybersecurity Framework, ISO27001 or COBIT, all those tools split the security topics into a few key areas. Are you more mature at risk prevention or attack detection ? Does your Threat Landscape heavily your social engineering or technological attacks ?
Interaction between the senior management, the governance and the technical expert helps you to weight those key cybersecurity area in term of maturity and risk. It is your compass to design your budget ideally equally split into three types of actions for an reliable cybersecurity :
- Quick wins : easy and cheap actions that have a visibility impact you can leverage for commercial purpose
- Infrastructure : maintain, refactor and upgrade your current security measure
- Strategy : implement your new cybersecurity objectives.
The current way of working of CFO and budgeting is reactive. You unlock a cybersecurity budget after you have been hit by a cyber-attack. You may go away with it a few times. But IT technologies are now a key factor of value creation in our interconnected world. A single cyberattack can lead you to bankruptcy. Start small key investment, build a minimal security baseline based on Best Practice and create a cybersecurity culture will make your company resilient. Adopting a proactive approach to cyber risk budgeting will also, on the long run, decrease its overall cost.