[BreachExchange] Attention CISOs: Five steps to get the security funding you need

[Destry Winant]

https://www.helpnetsecurity.com/2019/04/17/ciso-get-security-funding/

Going in front of the board to request or increase your security
funding is no easy task – especially when the organization is facing
budget restraints or, worse, the board does not agree with your sense
of urgency in securing the organization.

If you’re about to make such a presentation, remember your focus
should be describing your organization’s overall cyber security
maturity, risks caused by company deficiencies, existing risk position
based on current weaknesses, and proposed solutions.

To help you get the funding you need, here’s a five-step funding
request template that you can follow.

1. Identify your valuable assets and risks caused by organizational deficiencies

Describe your company’s most important assets and how profitability
and brand image can be negatively impacted by an attack on your
computer systems

2. Prioritize and assess your organization’s current risks

Identify your company’s top five cybersecurity risks – those with the
greatest potential impact on your organization – and assess your
company’s strengths and weaknesses as well as acceptable risk levels
in terms of people, information, processes, applications, and
infrastructure.

3. Present your proposed security program

Describe your risk management plan in terms of:

- Information asset management – What will a data loss prevention
process and technology include?
- Security maturity upgrade – How do you plan to strengthen your
security governance regime, upgrade your information security
management maturity, and establish a security assurance and reporting
program?
- Network resilience improvement – Why and how you should replace
legacy network equipment and why and how you should isolate and better
protect your most sensitive network segments.

For the best impact, visually present the most critical and
highest-impact risks to the company in terms of:

- Priority
- Impact
- Probability
- Current countermeasures
- Vulnerability
- Threat
- Asset’s name

4. Describe a security plan to address current risk levels

- Present controls, such as buying and implementing services,
licenses, development, configurations, support, etc.
- Explain how to implement an internal, external, or combined data
protection solution to increase detection capabilities and reduce the
possibility of a breach involving sensitive information and lower the
risk from critical to low
- List the proposed control resources for each quarter
-Governance model – Show why your strategy will be successful and
explain responsibilities of the executive risk board, such as:
+ Sponsor and monitor program
+ Program maintenance
+ Methodology instruction for each project
- Clarify positive post-strategy expectations:
+ Greater process maturity to improve performance management and
target budget more effectively
+ Improved technical security for production resilience, improved
collaboration within risk tolerance, and integration with subsidiaries

5. Call for action – Describe next steps for approval

Recommend that the board:

- Note the current state of the organization’s security
- Approve the strategy outlined
- Set success and progress benchmarks for the governance and investment program