Attention CISOs: Getting buy-in requires a solid business case

Just as the emergence of the pandemic focused our thoughts on health and wellness, the lockdown-related rise in cyberattacks sparked ever more urgent conversations about cybersecurity. Boards of directors at organisations of all sizes are now more open to the notion that security is a necessary component of modern business. There are indications that budgets may soon match requirements.

A recent PwC survey of Middle Eastern organisations showed a marked willingness to increase security budgets. 58 per cent of respondents predicted a rise in their spending this year compared to 43 per cent in 2021. And 31 per cent believed the budget increase would be 10 per cent or more. This is because, of those polled, 43 per cent said they expected the number of reportable incidents in 2022 to exceed those of last year. Amid this surge in incidents, there is an increase in the number of government-mandated standards for the collection, storage and use of data. The UAE’s Personal Data Protection Law is one such regulation.

Despite these changes, chief information security officers (CISO) still have to fill the gaps between understanding and expectation. Security leaders can dole out industry verbiage like zero trust, secure access service edge (SASE) or security service edge (SSE) all day long. However, without a business case that maps directly to increased revenues or lowered costs, it is difficult to get funding for security project.

A new kind of message
CISOs must find a way of explaining their proposal in terms their business-oriented colleagues can relate to — cost of procurement, projected benefit (in monetary terms, if possible), and the probability of the benefit being successfully delivered. The ‘probability’ part is a particular challenge, as it involves computing the risk levels of various kinds of events. And failure to convince decision-makers may result in acceptance of the risk rather than an investment to eliminate it, mitigate it or transfer it.

When positioning cybersecurity in the hybrid-work era, CISOs should characterise it as an enabler, no different than cloud computing itself. With the proper implementation of zero trust, the cloud becomes an environment where innovation is more rapid, costs are lower and employees can collaborate from anywhere. This a message that can shift the needle when attempting to secure buy-in.

To make their case convincingly, CISOs need to have a thorough grasp of their costs. For example, the total cost of ownership (TCO) needs to include more than the price of the software. There are countless hidden costs such as internal person-hours (including the coverage implications of running a 24-7 solution), training and consultancy.

Square pegs, round holes
Another factor to consider is whether the security solution being considered integrates with existing technology. The board will want to know how the new system may affect (both positively and negatively) operations. As part of this discussion, the CISO will have a great advantage if they are in the position to present a rollout plan that has minimal downtime associated with it.

In the modern complex multi-cloud environments, it is essential that any procured solution fits in with all systems and does not disrupt operations. And it is essential that the new solution does not require any lengthy configuration process or extensive training, as both will escalate costs and stretch out time to value.

Disruption to operations is a classic hidden cost and can often drag a project down. Telling a compelling story in the technology world should always include selling points such as speed, efficiency and simplicity of installation. If resources are minimally impacted during the journey to value, this may be the push needed to convert some doubters.

How SSE sells itself
The CISO must show the board that there is an answer to the issues that keep them up at night. A technology such as SSE – the security side of SASE – unifies security services such as secure web gateway (SWG), cloud access security broker (CASB) and zero trust network access (ZTNA). Why does this matter? Because it reduces risk with a streamlined security posture.

When organisations can deploy a single platform that is easy to use and provide full visibility and unified controls, users are safer, data is safer, networks are more protected, and the organisation takes a huge step towards compliance. By consolidating security and networking functions, SASE enable organisations to full embrace the cloud with a simplified path to zero trust.

The business benefits of these approaches come from the consolidation of security tools. Network and connectivity costs are reduced, and operations made smoother. Reduced complexity means less labour required to operate tools, freeing up security and IT teams to focus on more innovative tasks.

While many other factors — personalities, externalities, skills, available budget – may yet hamper the route to that all-important ‘yes,’ CISOs who create the right narrative are more likely to get the resources they need to do what needs to be done and build a more secure digital estate.

Bahaa Hudairi is the regional sales director – META at Lookout

Read: What every CISO needs to do in their first 100 days: Gartner

Also read: A CISOs guide to cybersecurity planning in 2020 and beyond