November 25, 2022
Nobody likes talking about budgets.
There’s never enough to go around—and most decision makers would prefer to allocate it to revenue generating activities rather than a cyber security budget.
At some point, every security team is faced with a budget too small to properly protect the organisation. At that point, understanding how the internal financial ‘game’ works is crucial.
This article will cover five tips to help you convince your decision makers to allocate more money to cybersecurity.
Tip #1: Speak Their Language
When it comes to securing budget for any initiative, the first step is to get buy-in from the decision makers—whether that’s the board, the executive team, or a single executive.
This is easier said than done, and there’s no single formula for success. However, there are some things you should keep in mind:
- Focus on business language, not technical metrics. In general, talking about risk and loss prevention is more convincing than overwhelming decision makers with cybersecurity data.
- Demonstrate the risk and potential impact of cyber incidents on your organisation. For example, the average data breach costs UK businesses around £3.5 million in 2021—and that figure grew more than 20% from the previous year. Costs are naturally lower for smaller organisations… but not much lower. Organisations under 500 headcount still have an average data breach cost of £2.2 million. Educating your decision makers with figures like these from reputable sources can go a long way to adding credibility to your budget request.
- Show how security can be a differentiator for the organisation. This is easier in some industries than others. If it isn’t possible, show why it is an essential cost of doing business, e.g., because the impact of a breach on customer trust would be devastating.
- Showing is more effective than telling. If decision makers don’t understand security, consider running them through a virtual exercise (e.g., a ransomware attack) that demonstrates how the threat could enter the network, what might happen next, and what the outcomes could be—then show how your additional spending would prevent that.
- Relate discussions of risk to threats your decision makers are likely to have heard of, e.g., ransomware or supply chain attacks.
Only you can find out what your decision makers want to see in a business case. Network with colleagues across the organisation and find out what has (and hasn’t) worked in the past—then use the information to your advantage.
Tip #2: Make Security an Enabler
Over the last two decades, cybersecurity has developed a bad reputation as a function that:
- Costs money for no discernible business benefit; and,
- Actively blocks business progress by delaying key initiatives.
Let’s be real. Nobody wants to pump more money into a cost centre… and they especially don’t want to pump money into a cost centre that gets in the way of revenue generating activities.
You need to get ahead of these stigmas.
Always aim to demonstrate how security can support business objectives and initiatives—not block them. Similarly, when asking for more budget, tie your request to current business initiatives and priorities, and show how you’ll enable them.
For this to be possible, security leaders must ‘get out there’ at every opportunity and make connections across the organisation—proactively getting involved with business initiatives and doing everything possible to ensure the organisation is protected without causing unnecessary delays.
This isn’t really a ‘trick’ to get more budget. It’s an operational model that will benefit the business… AND make it easier to get budget.
Tip #3: Show How Existing Budget is Spent
Security is a technical discipline, and—often—people who make budgetary decisions won’t have a good understanding of it. That makes it difficult for them to know whether the money the organisation already allocates cybersecurity is being well spent… and whether it’s a good idea to allocate more of it.
The simple solution to this is maintaining a set of easy-to-understand metrics that show how your security measures protect the organisation from cyber attacks.
There’s plenty of advice available on how to do this. Beyond the obvious performance metrics, here are a few things to consider including:
- How security has enabled or supported key initiatives or objectives—a proven track record is always better than promises.
- Where security has supported improvements to business-critical metrics (e.g., selling more products online due to higher website uptime).
- Anecdotal evidence of specific incidents that have been prevented, along with the potential implications of failing to prevent similar attacks in future.
As an aside, having a basic understanding of how people think and what influences them can be extremely valuable.
Tip #4: Explain What Extra Budget is Needed FOR
This is one of those tips that sounds obvious… but hardly anyone does it because they are too busy. It takes time to build a compelling argument—let alone a business case—and most security teams already have precious little of that commodity.
Taking the extra time to explain your request can be the difference between success and failure.
Put simply:
“We need more budget” isn’t very convincing.
“We need £100,000 over three years to improve the organisation’s resilience to ransomware by implementing a more secure network architecture” is considerably more convincing, particularly if you can explain why your proposed measures will make the organisation more secure.
Tip #5: Find Out What Similar Organisations Spend on Cybersecurity
Benchmarking is generally given more merit than it deserves. It’s one thing to know what a competitor or industry peer is doing, but if you don’t know why… the information isn’t useful. Regardless, executives and boards typically place a high value on benchmarking—particularly if it’s provided alongside other types of information—so it’s worth including if it helps your business case.
As a (very) general rule, most organisations spend between 10-15% of their total IT budget on cybersecurity. If your organisation spends markedly less, presenting this information to your board or executive team can help make a case for greater investment.
Naturally, the more specific benchmarking data you can find, the better. It’s not always easy to find budgetary data for a specific industry or geographic area—but if you can, you certainly should use it to your advantage.
If you can’t find financial information, look at stats in your industry that show where organisations fall in terms of maturity in key areas such as Zero Trust. If your organisation is seemingly behind in a high-profile or high-risk area, that can be a compelling argument for investment.
It’s a Game—Learn How To Play It
In an ideal world, budgets would be allocated perfectly to reflect the needs of each organisation. Sadly, we don’t live in that world.
Decision makers do their best, but they can’t be experts in everything. They tend not to be cybersecurity experts—after all, it’s a supporting function and usually not part of the core business.
To successfully obtain more budget, you’ll have to help them understand why cybersecurity is so critical for your organisation—and what will happen if it’s not funded properly. To do this, you’ll have to learn how to ‘play the game’ within your organisation. Security practitioners often find this difficult, as they tend to come from technical rather than management backgrounds.
But if you take one thing from this article, let it be this. As a security leader, perhaps the most valuable thing you can do for your organisation is raise the profile of security.
If you can do this consistently, you’ll find it much easier to acquire the budget you need—and protect your organisation from evolving cyber threats.