by Paul Proctor | February 8, 2013 | Comments Off on How to Get Funding for Your Security Program
CISO’s biggest challenge by far is getting executive management to appreciate (and fund) what they do. This scene plays itself out time and time again across the globe in every industry:
CISO walks in to the CFO’s office and says “I need $1M to protect the company.” CFO says “How much did you spend last year?”. CISO: “Nothing.” CFO: “…and what happened?” CISO: “Nothing.” CFO: “Ok, go do that again.”
The good news is that you can beat this by changing the narrative. Stop asking for money and start asking for decisions. We all live in a continuum of risk wherein we choose to spend less money and experience more risk OR spend more money and experience less risk. Explain this to the decision makers and ask them to commit to their choice as to where they want to live on this continuum.
Choosing to save some money and experience more risk is a legitimate business decision. The failure is allowing executives to live there without making a conscious choice. CISOs are their own worst enemy when they position themselves as defenders of the organization because it lets the executives skate on accountability.
Saying the risk is owned by the business is not just a platitude. A CISO must have the ability to translate this into reality.
I’ve arranged to have this Gartner research report made available until March 5, 2013. Non Gartner clients have to register to get it, but I think most will find it worthwhile.
Gartner Report: Eight Practical Tips to Link Risk and Security to Corporate Performance
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.