Cybersecurity is a crowded market and getting your voice to rise above the rest to demonstrate true thought leadership is a skill that Bridgeview PR Services excels at. In this case, BVM placed John Bruce, Chief Information Security Officer, Quorum Cyber insights on how CISOs can navigate the boardroom.

Originally posted by Cybersecurity Insiders at https://www.cybersecurity-insiders.com/mastering-the-boardroom-how-cisos-can-secure-cybersecurity-budgets/

For Chief Information Security Officers (CISOs), the budget season is a crucial period. It’s when they need to justify their financial needs to a boardroom of executives who may not fully grasp technical jargon. According to a recent PwC study, 59% of directors acknowledged that their boards are not very effective at understanding the drivers and impacts of cyber risks on their organizations. Without a persuasive, business-focused argument, CISOs risk losing essential funding for security measures and risk mitigation strategies, which could leave their organizations susceptible to various cybersecurity threats.

Today, CISOs face higher expectations from both their boards and external regulatory bodies. They just cannot afford to leave their organizations vulnerable. Instead of presenting a conventional list of security needs, they must advocate for a proactive cybersecurity strategy that ensures business continuity when threats inevitably occur. By reframing the conversation from mere compliance to viewing cybersecurity as a strategic business investment in risk reduction, CISOs can emphasize their role in safeguarding revenue, operations, and brand reputation.

After thirty years of working in IT and cybersecurity, here are my three tips for CISOs to present their budget requests to the board.

1. Move Beyond the Compliance Checklist Approach

A common mistake in budget planning is viewing cybersecurity as merely a compliance task – focusing on checking boxes rather than genuinely enhancing security. While compliance is crucial, relying solely on a checklist does not ensure effective risk reduction or business resilience. Securing budget approval begins with pinpointing critical security measures tailored to an organization’s specific risk environment and demonstrating how these investments support broader business goals.

To advocate for more strategic spending, CISOs should assess compliance-related investments by considering their actual impact on security. For example, if a regulatory requirement mandates a control that offers little improvement to the overall security stance, simply implementing it is insufficient. CISOs need to quantify its shortcomings and promote solutions that achieve both compliance and meaningful risk reduction. The aim is to shift from reactive spending to proactive, risk-based decision-making that aligns with the business objectives prioritized by the board.

2. Quantify Risks and Build a Financial Argument

One of the main challenges CISOs face during budget discussions is making cybersecurity risks feel concrete. These risks often remain unnoticed until a breach occurs. Traditional tools like heat maps, which use color-coding to represent potential threats, can be misleading or overly simplistic. Although they provide a general overview of risk areas, heat maps do not offer a clear understanding of the financial impact of these risks. Therefore, it is crucial to transition from qualitative assessments like heat maps to cyber risk quantification (CRQ), which assigns measurable financial values to potential threats and mitigation strategies.

By utilizing reliable and validated cyber risk models that assess their organization’s risk and quantify the likelihood and financial impact of specific cyber threats, security leaders can present realistic scenarios illustrating financial trade-offs. For instance, a company might face a 5% annual risk of a ransomware attack costing an average of $10 million. Investing $10,000 annually to reduce this risk from 5% to 2.5% represents a smart, defensible decision with approximately 150% annual return on investment (ROI) in terms of financial risk reduction.

By framing security in financial terms – comparing average losses mitigated to the investment required – CISOs can make a compelling case for funding essential cybersecurity initiatives.

3. Communicate in the Board’s Terms

The main challenge for CISOs is not just securing a budget but ensuring that decision-makers understand its necessity. Boards and executives are focused on business continuity, revenue protection, and ROI, rather than technical details like firewalls and threat detection.

Traditionally, ROI has been difficult to quantify for cybersecurity investments due to challenges in estimating the value of risk reduction. However, recent advancements in cyber risk quantification have made this possible. By using models validated with real-world loss data, CISOs can now produce an ROI figure. With a CRQ approach to risk analysis, they can present security investments in financial terms that resonate with decision-makers, such as:

• Value at Risk (VaR): What is the potential financial impact of a cyberattack on essential business functions?
• Risk Reduction: How much does a particular investment decrease financial exposure?
• Business Continuity: How will this investment help the company remain operational during an attack?

For instance, instead of stating, “We need endpoint detection and response (EDR) to enhance threat detection,” a CISO could explain, “In the event of a ransomware attack, investing in EDR is expected to reduce our risk of business interruption and extortion from $10 million to $4 million, saving millions in cleanup costs and lost revenue.”

By using the board’s financial language and clearly articulating the rationale behind cybersecurity investments, CISOs can not only secure this year’s budget but also foster long-term collaboration. When executives understand the strategic value of cybersecurity, they are more likely to prioritize it in future discussions, facilitating alignment on long-term goals, supporting ongoing initiatives, and building a shared sense of responsibility for the organization’s overall resilience.

Improving CISO and Boardroom Dynamics

Historically, CISOs have faced challenges in advocating for their needs in the boardroom, but this is beginning to change. High-profile breaches and increased regulatory scrutiny have heightened C-suite awareness about the importance of addressing cyber risks. To fully close the gap, CISOs need to expand their focus beyond technical defenses and establish themselves as risk advisors and strategic business leaders. This involves mastering financial terminology, expressing risks in monetary terms, and highlighting cybersecurity as a vital component for ensuring business continuity and resilience.

John Bruce is a seasoned risk and cyber security executive with 25+ years of experience, currently serving as Chief Information Security Officer at Quorum Cyber. He has previously held CISO roles at Places for People Group and CGI as well as senior Global Partner and Director positions at IBM, Lloyds Banking Group, and Royal Bank of Scotland Group. John is a subject matter expert who leverages market-leading solutions and innovative approaches to protect the business strategy and mitigate cyber risks. He combines technical knowledge with business acumen to transform security from a technical function into a strategic business enabler.