Now I know this is a vastly complicated issue that nearly all Security teams face in their organisation for one reason or the other but are we selling the wrong story to the board and thus makes attaining the higher cyber security budget harder?
I hear all the time that Security should or is being sold to the board of directors by say x, y and z are going to happen if you don’t fund this project or tool or get this resourcing. This is the amount of risk and here is the list of terrible things that will happen if you don’t buy in to Security.
Now I obviously don’t inherently disagree with this approach as the points will be completely valid, but should this be the message we want to get across?
Maybe we should be selling Security as if it was a stand alone product we are selling to customers. At the end of the day Security is fundamentally built into our products and organisation and is an expectation to uphold from businesses across the globe, particularly with the surge of high profile breaches in the past decade. Additional Security can be and is being sold by some organisations as an additional benefit to your already existing product, these benefits can have direct impact on the profitability of the business as customers will see it as an additional advantage to go with the more secure product. The extra protection can also be used as a marketing tool to pull in customers to start with and to get ahead of competitors to not only meet regulations and certification but to build upon these.
When the argument is rephrased like this there is a possibility that there will be an increased buy in from the business which will allow itself for increased Security Budgets. There is also a major factor to play in this whole question that can drastically change the approach. This factor is not only the Security awareness of the business but Security awareness from the top level to truly be able to assess risks and benefits from either not doing x,y or z or investing money into the business for Security as the responsibility does not fall down just to the CISO and his Security team but every individual within the business no matter the size.
There is also the complete possibility that everything the community and CISOs are doing today is a perfect solution but what do you think?