[BreachExchange] How CISOs can justify cybersecurity purchases

[Destry Winant]

https://www.helpnetsecurity.com/2020/02/04/justify-cybersecurity-purchases/

Sometimes a disaster strikes: ransomware encrypts critical files,
adversaries steal sensitive data, a business application is
compromised with a backdoor… This is the stuff that CISOs’ nightmares
are made of. As devastating as such incidents can be, for the short
time after they occur, the enterprise usually empowers the CISO to
implement security measures that he or she didn’t get funding for
earlier.

Of course, waiting for disastrous events is a reckless and
unproductive way to fund cybersecurity purchases. How can you make a
proactive business case for justifying expenses that advance your
security program? I have a few suggestions based on my prior
consulting experience and my recent work as a CISO at a cybersecurity
firm.

Security practitioners used to point to the need for defense-in-depth
when explaining why the organization should fund yet another
cybersecurity measure. Unfortunately, this principle alone doesn’t
clarify how many layers are sufficient. Without business-relevant
details and the right context, the people reviewing your request won’t
understand its necessity and significance to the organization.

The request itself: What details to include?

You might know why the organization needs a given security measure,
but how do you relay its significance to others? At the very least,
your funding request should cover:

Risk: How does the measure mitigate or otherwise address a meaningful
risk? Explain the relationship between this risk and the
organization’s business objectives. Clarify what might happen if you
don’t address the risk and how likely this is to happen.
Cost: How much will the security measure cost? Include upfront and
ongoing expenses. Account for the fees you’ll pay to third parties
(software as well as infrastructure) and internal costs related to
people’s time. Discuss the costs of alternative ways of addressing the
risk.
Context: What role does your request play as part of the
organization’s other initiatives and priorities? Also, discuss how
other companies similar to yours handle such risks. Describe the way
in which the risk fits into the current threat landscape that’s
relevant to your organization.

The details above are essential, but they are not sufficient. The
decision makers also need to understand that this is not merely a
one-off request, but that it’s a part of a reasonable plan to
strengthen the company’s security programs. This is where modern
frameworks can help.

Your security program: A method to the madness

If you’re just starting a cybersecurity program, a good way to pick
minimum security measures is CIS Critical Controls. This list and the
accompanying guide provide practical consensus-based recommendations.
If any of these controls are missing from your company, you can point
to CIS Critical Controls to justify your request to fund the
corresponding initiative. If you’re at a young tech company, consider
as another reference the Security4Startups Controls Checklist, which
was created by a group of experienced security professionals.

When requesting funding for security projects in organizations that
require more sophistication than the lists above offer, take a close
look at the NIST Cybersecurity Framework (CSF). It provides a
comprehensive listing of security measures that enterprises should
implement and has gained traction among government and commercial
organizations in the US and world-wide.

Another reference to consider when deciding what security measures
your enterprise needs is the Cybersecurity Defense Matrix, created by
Sounil Yu. It offers a convenient way to understand the role that your
various security tools play and helps identify portfolio gaps. This
uses CSF categories to classify cybersecurity controls and reminds you
to understand their capabilities with respect to your devices,
applications, networks, data, and users. It’s handy for identifying
areas that might have too many or too few security measures.

Additional justifications: Legal and privacy considerations

If you need additional ammunition to justify must-have cybersecurity
measures, your company’s attorneys might help. Get their guidance
regarding picking the baseline controls you must have to exercise due
care and avoid negligence. Work with them to understand the relevant
laws and regulations. Don’t forget to consider privacy obligations,
such as CCPA and GDPR. Ask whether CIS Critical Controls or another
framework provides a reasonable starting point.

Speaking of CCPA and GDPR… When explaining how your funding request is
a part of a larger plan that benefits the organization, look at the
NIST Privacy Framework. This methodology (and others like it) is
especially relevant to organizations formalizing their privacy
program. Though the scope of a privacy program goes beyond
cybersecurity, there is a substantial overlap between the two worlds.
You can strengthen the case for your security measure if it addresses
cybersecurity as well as privacy risks.

The various frameworks above help you to explain how your security
measure – and the associated funding request – fits into your broader
plans for securing the organization. Discussing your request as part
of the overarching plan explains how this request contributes toward
the evolution of your cybersecurity program. It also prepares the
organization for the subsequent requests that you will need to submit
later.