In this episode of CBTS Tech Talk: Inside the CISO’s Office, our experts explore how today’s CISOs and CIOs can secure cybersecurity funding from their organization’s C-Suite when proposing new or additional cybersecurity measures. Guests Jim Studer, former Univision CIO, and Allan Hackney, former CIO at Hewlett Packard, John Hancock, and AIG Consumer Finance Group, joined John Bruggeman, CBTS vCISO, to discuss best practices for enlisting financial support from critical leadership. They also discuss the legal risks businesses face when weak cybersecurity protections put them in danger of compliance and regulatory oversight.
Cybersecurity investment lags significantly
Business leaders globally have yet to defend against surging cybersecurity threats with adequate cybersecurity funding to support a strong line of cyber defense for their organizations. Of the worldwide companies that participated in the 2024 Cisco Cybersecurity Readiness Index, 73% expect a cybersecurity incident to disrupt their business in the next 12 to 24 months, while 54% have already suffered a cybersecurity incident in the past year. Yet only 3% of organizations are assessed as having a mature stage of cybersecurity readiness in 2024.
“Leaders need to understand how cybersecurity risks could impede their ability to compete and to be profitable.”
Allan Hackney
So, today’s CISO is at a critical juncture. They must defend against more potential attacks with or without sufficient cybersecurity funding to invest in the tools and resources needed to get the job done. Thankfully, there are viable strategies for securing those dollars. John and his guests offered tips for identifying the right players, communicating at their level, and keeping them apprised of the increasing legal risks of inadequate cybersecurity.
Read more: IT risk management requires new tools in a shifting threat landscape
Cybersecurity funding: who controls the purse strings?
Not every CISO will struggle to obtain cybersecurity funding. Some businesses know the risks and make proportionate investments to safeguard their data and operations. However, that’s largely the exception rather than the rule.
CISOs and other cybersecurity decision makers should approach the appropriate members of leadership to discuss their cybersecurity funding needs. It is critical to get support from the following:
- The chief operating officer (COO).
- The company president.
- The chief legal counsel.
- The chief finance officer (CFO).
CFOs are the deciding factor in the cybersecurity budget allotment. The technology research and consulting firm Gartner made the case for CFOs treating cybersecurity as a business decision at the 2024 Gartner CFO and Finance Executive Conference.
Read more: Three pillars of finance that influence a successful client-centric culture
Build relationships to secure financing
According to Hackney, a surefire way to fail at acquiring needed cybersecurity funding is to speak to C-suite executives in tech jargon. Talking about next-generation firewalls or using acronyms like ZTNA (zero trust network access) never got him anywhere. “I can’t tell you how many projects I’ve seen fail to get past the first tollgate because the CIO talked about tech tools with no link to how this will better the company’s business,” he said. “It’s got to tie back to return on investment (ROI) and the overall value to the business.”
CISOs must demonstrate that they support their leaders’ business objectives. Rather than starting a conversation with requests for cybersecurity funding, ask about their current challenges. If they mention something about IT, try to reduce that friction for them. It will build your credibility. The end goal is convincing leadership you are on the same team, which may take time.
Once you have their trust and attention, explain the need for cybersecurity funding in the context of risk. Explain that without adequate funding, that risk will either continue to grow or an attack will occur.
Cybersecurity funding must keep pace with escalating legal risks
Boards of directors are starting to make cyber risk and cybersecurity funding a priority. New York-based law firm Proskauer stated that a market-wide shift in awareness of and focus on cybersecurity issues is on the horizon. Following the 2023 “corporate cybersecurity rule” that “increased scrutiny into, and comparison of companies cybersecurity programs by investors, insurers and the public as well as by the regulator itself,” the Securities and Exchange Commission (SEC) is now proposing new risk management obligations for the investment sector.
“From the board’s point of view, it’s all about the potential liabilities that could undermine the business strategy and undermine the business’s ability to conduct the work that they do,” said Hackney.
The businesses most at risk of breaching heightened cybersecurity regulations are those in highly regulated industries, including banking, finance, and healthcare. Regardless of the business’s industry, Hackney suggests CISOs create a risk register to categorize the perils that could impact the business. Start by assessing the business’s vulnerability to each risk, the potential frequency of each risk, and finally, the impact of each risk. Conduct this process every six to twelve months, as well as each time you implement new technologies.
Not every risk on the register will require action. However, this evaluation can be practical when justifying requests for cybersecurity funding because it can also be used to seek alternative solutions that may be more economical, such as investing in different technology or partnering with a third party.
Read more: Lax data security compliance puts your business reputation at risk
Mitigate risk with the right partner
Remember that C-suite executives will want value in exchange for cybersecurity funding. This isn’t simply about diminishing risk but delivering the best possible outcomes for the dollars spent. Partnering with a third party further reduces risks in the long term. Vendors specializing in cybersecurity have the tools and expertise to manage, monitor, and track potential threats. CBTS has extensive experience in patching and vulnerability scanning, enabling us to efficiently equip your systems with the tools you need to be proactive and secure long-term.
Contact CBTS to learn how we can deliver value and help navigate legal risks.
