The current cyber budget approval process has its share of problems. From the speed of the process leaving businesses at risk, to the misconceptions decision-makers have with cyber’s role and who owns the risk. 

Boardish reached out to seasoned cyber professionals from various backgrounds, industries, and experience, to help shed more light on the most pressing issues with the cyber budget approval process in reality. 

We asked: “what is the number one problem cyber professionals face when getting budget approvals from the board?” as well as how they suggest addressing it, and here are the results. 

1. Using probability and likelihood

Cyber Pro: Eli Migdal, Co-Founder Boardish.io 

“When cyber threats or risks are discussed in terms of what is ‘probable’ or ‘likely’, the CISO or cyber professional is taking full ownership of the risks, it doesn’t instill any sense of urgency or ownership on decision-makers or the business. Which in turn delays the whole budget approval process.” 

Tip to address: Quantifying risk into financial figures creates a clear and definitive metric that needs to be addressed. Money terms are what decision-makers are used to working in, so if you tell them they need to own $220M in risk rather than saying ‘we’re likely to have a ransomware attack’ which raises more questions, you’d be surprised how quickly the process moves then. 

2. Lack of cyber understanding

Cyber Pro: Ian Poynter, vCISO

“The number one problem getting budget approvals from the board will realistically vary with the specific board and its members, and knowing the audience is really what comes first and foremost. That said, I’d say that any CISO’s #1 problem is a lack of understanding of the realities of cybersecurity-related risks.”

Tip to address this: “Educating the board, without seeming condescending, will allow a case to be made for any and all budget requests by framing them in the context of the associated business risks.”

3. Speaking different languages

Cyber Pro: Dutch Schwartz, Cloud Security Strategist

“The number one issue facing cybersecurity professionals when it comes to budget proposals is their lack of experience in speaking the language of their business.”

Tip to address this: “Beyond just explaining risk mitigation, [cyber professionals] need to express the benefits and value of a given security strategy so that other business leaders can support their efforts.”

4. Ignoring the ‘why’ 

Cyber Pro: Joshua Scott, Head of Information Security and IT, Postman

“I’d say the number one problem is that the value obtained from the budget spend is not clearly articulated.  We tend to focus too much on WHAT we need instead of WHY we need it.” 

Tip to address this: “Show the value provided in the form of risk reduction or business enablement. Also, we need to focus on simplifying our language.  Security professionals have a tendency to use too much jargon that many people do not understand.”   

5. No direct security influence with decision-makers

Cyber Pro: Ross Moore, Cyber Security Support Analyst, Passageways

“One problem is having direct information security influence with the board. Whether it’s a

member of the board, CISO, Director, Trusted Advisor, or whatever role the company accepts -a trusted information and cyber security professional (not a report or magazine article) has to be in direct contact with the board.

Additionally, that person must present a solution that is:

• Trustworthy (based on perceived reputation by the board)
• Affordable (fits the budget), and
• Relevant (pertinent to the board’s list of perceived risks and threats)

Tip to address this: “Keep at it – Present ideas, findings, reports, scans, accomplishments – anything that you can send their way, even indirectly, will help establish over time the need for someone to have direct influence.

Present your findings in business terms primarily, technical terms secondarily. It works wonders! E.g., any kind of chart that shows things such as, “It will cost $10,000 to update and secure this tech, vs. the $10 million in GDPR fines that will be leveled against us when we get breached.”

Then, centralize it – Be transparent and open. Make sure that board members can see it when they want – one never knows if they’ll hear about something on the news at 10 PM and want to see what the company is doing about it. The one sending the information may not be the one who actually gets the influencer role.

But in the end, the day that all of that work on the concept becomes an accomplishment for corporate security, it is a huge relief! What if it takes a long time? All along the way, you’re leveling up your business skills and improving corporate security, so you stand to gain a lot of ground professionally.”

6. Not showing solutions are ‘worth’ the cost 

Cyber Pro: Ross Young, CISO, Caterpillar Financial Services Corporation

“Everyone wants to know how secure am I? and how effective are the controls? These are really complicated questions to answer. It’s like saying what are the chances of getting into a car wreck every time I leave the house?

Organizations can often estimate that this type of event happens on average once every XYZ years by looking at the industry data breach reports. They can also estimate the costs of how many millions/thousands to recover. Organizations can also look at solutions and estimate how much the cost is to implement new protection tools.

However where the rubber meets the road is if I buy this solution does it lower my exposure by 20% or 80%. That is the hardest thing to know.”

Tip to address this: “Without the ability to accurately quantify the effectiveness of the new tool to meet the control it becomes very hard to know if the cost of the new solution is worth it.” 

7. Not linking to the business drivers

Cyber Pro: John Mumford, Chief Risk Officer, Fellsway Group LLC

“At Fellsway Group, LLC we believe the number one problem cyber professionals face in getting budget approved is in translating the security need, capability, gap, vulnerability, etc. into a business risk statement or business value driver.

For example, here is what we see many cyber professionals (who primarily grew into their role via a technical path, lacking the business acumen) doing in those types of requests.

They ask for say $10,000 to fix a cross-site scripting error on IP address 10.1.1.1. The board or leadership who would grant that request scratch their head and don’t know what they are talking about.

Instead, the cyber professional should approach it like this: 60% of our revenue flows through our Sales website and we are also trying to grow Sales by 10% this year. Due to a technical deficiency in the Sales process, we will struggle to hit our Sales targets. We need $10,000 to fix this deficiency.”

Tip to address this: “it isn’t an easy fix. It includes an understanding of what the business does from a digital business process, how they tie to the risks the business faces, and how they align to goals and objectives. This “data model” is captured and evaluated and correlated over months of dialog, discovery, capture, correlation, and alignment to the IT/Cyber capabilities in place.

We believe too much of security is pushed from the bottom up, and the translation never connects. At Fellsway Group, we approach the problem from the top down, then connect to what capabilities are in place at the technology level and mature that.”

Key Takeaways 

To summarise everyone’s contributions to improve the cyber budget approval process, cyber professionals need to: 

1. Quantify cyber risks into financial figures.
2. Educate the board without seeming condescending.
3. Speak the business language of the board.
4. Don’t forget why solutions are needed, not just which ones. 
5. Give the board direct information from a person of security influence.
6. Quantify solution efficiency so you can show proposed solutions are worth it. 
7. Link risks to direct business drivers and values.

A huge thank you to all of the cyber professionals who contributed their expertise to this article and helped us to delve into the real logistical challenges of the cyber budgeting approval process!