Among this new intensely aggressive cyber landscape where you need to mistrust every email you get because of its likelihood of being a virus, cybersecurity professionals are building new solutions to protect their organizations from becoming the next headline of cyber-news. Millions of customers and employee information are being stolen (what seems like) each week. Not only is information being stolen daily operations are also disrupted. With all the challenges cybersecurity professionals are facing combating this cyber space of attacks, why is it that many Chief Information Security Officer’s report that their top priority is securing larger budgets to protect, prevent and ensure continuous operation even when faced with a cyber-attack. Why is it harder than ever to obtain a budget for cybersecurity?
Build the appropriate narrative
Bridging the gap between technical and business is extremely difficult since the path to cybersecurity management is through years of experience in engineering. By the time a cybersecurity professional applies for management or has the years’ experience to lead a team, most professionals lack the soft skills needed to communicate to business owners. Naturally the best way to approach a conversation relating to cybersecurity budget is to build the appropriate narrative that makes sense to the board who holds the power to provide the needed funds for your new cybersecurity solution.
Show a business need – Industry specific events
The question remains, how do we as cybersecurity professionals build the needed narrative. In my experience the easiest way to get approval for a cybersecurity budget is to solve an immediate problem (the company is currently facing an attack) or solve a business problem with a cybersecurity solution (two birds with one stone). The narrative I like to build as soon as I engage with business owners is to illustrate that my goal is not only to protect the organization, but also to assist in the money-making process. Cybersecurity is looked at as a department that will make things more difficult than easy. I would suggest focusing on building solutions around the industry. For example, I once was tasked to improve the cybersecurity posture for a Production Organization, in the production industry the business is fast, and the tasks done each day change frequently. Knowing the industry I focused on single sign-on and configured systems for flexibility. The systems and products I introduced had flexibility in mind, because of that, each solution I came up with worked well for the organization I worked for. If I thought about “What is the most secured” vs “what is the best for this organization” I would have failed at my task.
Likelihood and Impact
It’s not enough to build the right story and to know your audience, you must also present the importance of the security hole you are attempting to fill. I once worked for an organization that had constant phishing attacks, it was so bad that the attackers would text the cell phone numbers of our employees to get employees to make purchases (pretending to be the CEO). I observed these attacks and personally was targeted, so I decided to present costs for a email gateway and dark web monitoring. I instantly got rejected for the monthly costs of the solution, however, 1 month from the rejection of the solution our CEO, Chief Human Resource Officer and Chief Financial Officer were all compromised. Not only were their emails exposed, but the attackers also attempted to get one of our customers to send us money, our customer now knows of the successful attack. During the attack my boss called me and said my solution has been approved, to implement it as quickly as possible. The initial rejection of the solution was not that our CEO did not believe the attack would ever occur, but he did not believe it was likely the attack would occur nor did he understand impact of such an attack.
The Risk Matrix is a formula to illustrate the likelihood of the attack to occur as well as the impact the attack will have on the organization. The likelihood is measured by identifying the vulnerability and the threats that could exploit the identified vulnerability. For example, if your firewall vendor has a known vulnerability of a buffer overflow attack via SSH in firmware 12 and you haven’t upgraded to firmware 13, your firewall is likely to be compromised if you don’t either upgrade to firmware 13 or disable SSH. The impact portion of the Risk Matrix is to identify how are the consequences of a successful attack. In the example of the firewall, the attacker could perform privilege escalation or make a reverse shell. Thinking out the information or damage the attacker can do using those two attacks leveraging the un-patched vulnerability is the benefit of the Risk Matrix.
Example of a Risk Matrix
Cybersecurity professionals are struggling with finding talent, build strong security postures for organizations, adapt to the ever-changing attack landscape, and struggle with getting proper funding to protect their organizations systems as well as their vital information. Speaking the business language organization leaders understand helps build the narrative that cybersecurity can help their business make money brings interests and funding into your cybersecurity project. Using the Risk Matrix allows you as a cybersecurity professional to breakdown all the Risks your organization is facing and their likelihood of occurring, additionally the Risk Matrix allows you to illustrate how much of an impact a successful attack will have on the organization.
Matthew McGill & Trevor Meers, Dec 29th, 2021, Risk Assessment: Likelihood & Impact Accessed: June 25, 2022 https://pratum.com/blog/443-risk-assessment-likelihood-impact
Boardish Team, Mar 5th, 2021, 7 Cyber Pros Share Their top Problems with the Cyber Budget Approval Process Accessed: June 25th, 2022