How to Secure C-Suite Funding for Modern Cybersecurity Investments
By Gretchen Wichmann and Larry Wolf
One of the ongoing challenges for enterprise CISOs and CSOs is convincing the company’s top executives to provide sufficient funding for cybersecurity programs. Although many CISOs understand the ROI for a cybersecurity investment, some of the benefits may get lost when articulating the business case to the C-suite.
CFOs, CEOs, COOs and board members typically understand some of the damaging implications of a successful cyber attack. But security needs to be viewed not just as an “after-the-fact” insurance policy, but as a business unit that efficiently delivers profit growth and faster time-to-market.
There are several approaches CISOs can take to help build the business case for better funding.
Talk with peers in your industry and other industries
This is not merely to exchange security ideas about threats and defense tactics, although that information is useful. The goal here is to understand the level of investment they are making. If a dozen similarly situated enterprises are spending five times what your enterprise is investing in cybersecurity, that will grab your CFO’s attention.
Some CISOs may be uncomfortable talking with other CISOs, or they may not see the benefit in expanding their security research beyond their own industry. However, our customers often have similar security challenges not only across competing companies but also in different industries.
Think like a LOB executive
Senior management often wants their CISO to promise them that they are secure and compliant, even though they intrinsically understand that compliance is a constantly evolving process and that absolute security will never be possible.
But senior management will typically give weight to what the LOB managers and executives say. If a LOB exec resists a security change and argues to senior management that it slows down operations, shrinks their already tiny time-to-market, or decreases workforce efficiency—all of which threaten margins—CFOs and CEOs are inclined to listen.
It’s important for CISOs to negate these arguments before they are made. That means taking the time to understand the LOB exec’s world and stress the long-term operational benefits of the security upgrade. Fortunately, security and network modernization efforts that are highly integrated with the best cloud providers offer a wide range of operational advantages, including passwordless systems that remove authentication friction, faster data exchange, and a security platform that makes it easier for all required users to access information deep within the network.
Talk to both senior management and LOBs
The best route is to speak with both groups and stress value-adds that improve their bottom line. For example, emphasize that modernization would include current access management strategies that can reduce onboarding and offboarding time while improving security and compliance as well as reducing friction for end users. No more orphaned privileges when someone gets promoted or makes a lateral shift. While enterprises have generally gotten better at removing all privileges when an employee leaves, the internal promotions and lateral shifts often fall through the cracks.
Modernization is not solely about the technology. It’s also about people, processes, and data. This is where investments in automation and digitization need to be made.
The aim is to define a business case by examining business priorities, including compliance requirements, and enterprise pain points. CISOs need to work with IT, HR, Legal, Compliance, and other key business units to deliver cross-functional stakeholder alignment and buy-in. This is the best way to leverage a programmatic approach with clearly defined business benefits and outcomes.
Focus on end-user satisfaction
To achieve senior management buy-in, security must demonstrate trackable increases in end-user satisfaction, such as noting how long it takes for employees and contractors to get needed access.
Even when business units are functioning they may be executing inefficiently. Improving IAM is often the golden ticket to success. For example, we’ve seen user onboarding access reduced from two weeks or longer to just one day by implementing a modern IGA solution. That’s the type of business value that can help sell a modernization initiative.
Start your cybersecurity investment with a strategy
One of the best ways to prepare for a significant cybersecurity investment is to build a comprehensive security roadmap. We recommend first making a current state security assessment and then creating a future state vision based on your business requirements and priorities. Using this future state vision to develop a structured roadmap will help set expectations for key qualitative and quantitative benefits milestones, and establish the business value and foundation for your new program.
Connect with Edgile to get started
For details on how to optimize your identity programs, please contact your Edgile representative.