Security Button On Keyboard (pressureUA / Getty Images/iStockphoto)
Writing articles and blogs, and teaching cyber programs, creates the opportunity to interact with a number of individuals working in cyber defense. This interaction with professionals in the military, defense industry, critical infrastructure providers as well as security product and service providers often results in contradictions about the current state of the cyber threat environment and our cyber defenses. However, there is one area where there seems to be a growing consensus.
It probably won’t surprise you to discover that area of consensus is about the current levels of funding for cyber security. I cannot recall anyone who has told me they have plenty of funding to meet the current of protecting their systems from cyber attacks. The number of connected devices that require monitoring and protection is increasing; the number of software applications (traditional and mobile apps) used by organizations is increasing, as are the number of malware strains and cyber threat actors. Given that context it is easy to see how those responsible for protecting and defending all these assets would be asking for more money.
A C-level executive was challenging the budget requested for securing the organization’s information systems and devices. After the chief information security officer presented his budget and slides that supported his budget request, the executive asked: “If we increased your budget request for next year by 10 percent, could you put the money to good use?” The CISO was ecstatic and answered, “Absolutely.” The executive then asked about an increase of 15 percent. The CISO replied that without question they could use the extra money. Finally, the executive said, “How about 25 percent?” The CISO said, “Oh yeah, there are additional protections we could fund.” At this point the CISO has visions of funding far beyond what he had requested. The executive paused for what seemed an eternity and leaned back in his chair. His expression changed and he asked, “Where does it end? How much is enough?”
The question of justifying budget requests for cyber security has been around a long time and will not be going away anytime soon. All too often the CISO uses compliance as the sole justification for the requested level of funding. It has been my experience that allowing the corporate legal team to justify the organization’s compliance need gets the best results. While compliance is certainly one component that contributes to cyber security budgets, the use of a more businesslike approach is often much more persuasive, especially at the executive level. What we need to do is become much more articulate about the value of the organization’s information assets and the risks that are specific to each asset class. If we are able to collect these metrics that are specific to the organization from an impartial source, that would certainly go a long way toward building credibility. Using that data an asset value, versus risk, versus benefit (AV/R/B) analysis specific to cyber threats for that organization can be calculated.
Using the common business practice of AV/R/B analysis sure beats the current fear-mongering approach that many CISOs have used and some continue to use. CISOs should steer away from general metrics such as cyber security funding per dollar of revenue of funding dollars. This is not just an issue for the private sector. Just recently one inspector general’s report on metric issues stated that some metrics were unclear and ambiguous. Taking on this task will not only help justify cyber security budgets, but it will provide a view of the organization’s cyber threat environment that is different from what most security departments produce today. Besides, we are in an era of tight budget dollars and if cyber security is to get its fair share of funding a more substantive approach to justification would certainly help.
It all comes down to what makes sense.
Kevin Coleman is a senior fellow at the Technolytics Institute and former chief strategist at Netscape.