CISO, Visible activity across the organization
CISOs who are comfortable with their budgets typically have presence and credibility among executives, participate in risk assessment discussions and present program metrics to the board, the IANS report said. This suggests that CISOs need to maintain a highly visible presence, participate in broader organizational activities, and focus conversations on business risks rather than technology controls.
Watson agrees that CISOs need a presence beyond the cyber and IT functions to successfully manage influential and financial relationships, saying, “They may start out in technology, but to move beyond IT they can become business partners and business advisors. “It needs to be recognized,” he said.
Chris Peake, CISO at Smartsheet, said the important thing is not simply whether CISOs are visible, but rather how they help organizations understand the scope of the cybersecurity threats they face. The goal is to provide context for decisions about priorities and corresponding funding and budgets.
“For security to be a business enabler, CISOs and security programs must not only be visible, but everyone must have a clear view of the threat landscape,” Peek said.
The CISO’s role is to disseminate this information throughout the organization, including top management and the board, and align it with overall business goals. “The rest of the business needs to understand what they are up against,” Peake said. “This provides context for decision-making about what to prioritize.”
Until now, CISO and finance have not been well-aligned areas, but that is changing as the financial aspect of business becomes more important. “Most CISOs I know talk about financing and how to bring new technologies into their organizations,” Peek said.
Emerging technologies such as generative AI that introduce new threat vectors also require investments to manage and protect, sparking conversations about budgets. “New technologies require resources and new perspectives in terms of how to deploy baseline tools,” Peek said.
Still, situations arise that interfere with budget decision-making, and CISOs struggle to ensure certain projects are prioritized.
Anthos says that if you don’t have a relationship with, or even a conflict with, key stakeholders, there may be barriers that don’t exist. “This can lead to misconceptions about the goals your security team is pursuing, or lead to inaccurate assumptions, misunderstandings and communication issues.” He said.
This can lead to budget allocations falling through the cracks and solutions or initiatives falling off the priority list. This clearly shows the importance of a common understanding of the importance of the project. This requires constructive relationships and alignment of priorities.
“In many cases, what the security department does is actually implemented by other teams, such as engineering, developers, or IT,” says Antos. “So whatever it is you want to implement, make sure it’s at the front of the other team’s work lists.”
to finance for knowledge funds procurement influencing relationship basic
Watson said that as organizations face financial challenges, CISOs are under increased pressure to justify budgets to stakeholders, including CFOs, CEOs and boards. “Additionally, the SEC’s new disclosure requirements make specificity critical, so cyber risk “There is a growing focus on quantification.”
To convincingly answer these challenges, CISOs must connect cyber risks and budgets. This is why cyber risk quantification tools are becoming increasingly important in helping them build sound business cases.
Watson asked, “How do you prove whether something is concrete or not? For this, a mathematical formula is needed. “For that reason, cyber risk quantification is currently gaining a lot of momentum in organizations.”
Antos suggests that smaller organizations and companies that do not use consulting firms leverage ISACA or IANS tools and resources to build risk analysis and budgeting processes. “These tools provide security teams with the financial knowledge and budgeting processes they need. “We provide guidance and materials to help develop internally.”
ISACA’s Capability Maturity Model Integration (CMMI) framework helps with cost control and risk-based budgeting strategies. 2023 CMMI Technical ReportAccording to , organizations using this framework saw a 47% reduction in cost variance.
For Antos, studying information systems and accounting in college helped her bridge the technical and financial aspects of the CISO role. Anthos emphasized that understanding the language of finance and communicating the business value of security investments can significantly strengthen a CISO’s position in budget negotiations.
Financial knowledge is no longer optional for CISOs; it is essential for reaching stakeholders and building the business case for security investments.
By understanding the budget process and communicating the business value of security, CISOs can bridge the gap between technical requirements and organizational priorities to secure the resources they need.
At a practical level, especially for large projects, conversations about security needs need to start early and explain how they will impact the business.
“It’s much easier to prepare all of this in advance than it is during the budget process,” Antos summarizes.
dl-itworldkorea@foundryco.com
Source: www.itworld.co.kr
