If you Google how to justify your cybersecurity budget, you will come up with tips pointing in a bunch of different directions.
For example, the article titled How to Calculate ROI and Justify Your Security Budget is immediately followed in search results by an article titled Cybersecurity Spend: ROI Is the Wrong Metric.
That's why we are so thankful for the IT security budget strategies Mike Muha shared with us (and his security peers) at SecureWorld.
Muha is Chief Information Security Officer (CISO) and Chief Privacy Officer (CPO) at WorkForce Software, and here are his top tips to help you get your cybersecurity spending approved this time around:
[SecureWord] What are key ways security leaders can get the business to approve security spend and budget?
[Mike Muha] So if you want to get your (IT security, cybersecurity) budget justified, there are clear things you should do. You need to understand the business and what the business goals are. Because if you can link your security initiative to a particular business goal, then you are much more likely to get funding.
So if you are trying to enable partners more quickly, that’s a business goal. Maybe your two-factor authentication project will help that way. If you have a log management solution or data analytics solution, what happens if you were to propose a company-wide data and analytics solution that security is just one part of, that the whole company uses or some large fraction of the company uses—and it can also be used for the security analytics. So it’s a win-win for the whole company. So that's number one.
[SW] What is another key strategy for justifying security spend?
[Muha] A second key factor is building relationships with business units. Understand what they’re specifically interested in, what their problems are, and what they’re trying to accomplish. And I don’t mean about security things, but about their business goals. They have particular objectives they have to achieve during the year or the following year.
Is there any way you can link a security project to something they have to work on? Or is there a security project that will help them in some way? If you can find that linkage, great.
You also want to build that trust with other people in the company, too. Because if they trust you, you do the right thing, you do things on time, you have good ideas, the more likely that when you ask for security spend it’s a valid spend that should be taken seriously.
Muha tells us that the opposite is true, as well. If you pop up out of the blue asking for money for a security project and no one really knows you, it will be a harder sell.
Watch the video interview for more insights on this.
Muha, a member of the SecureWorld Detroit Advisory Council, is part of a shift we are hearing about at our cybersecurity conferences across North America.
Cybersecurity leaders are toning down the fear factor and talking up the fact that security is a tool for business enablement. As we found out, security is enabling innovation at Netflix.
And you can bet the business approves of that.
