5 Tips To Help You Secure Cyber Security Budget

Nobody likes talking about budgets.

There’s never enough to go around—and most decision makers would prefer to allocate it to revenue generating activities rather than a cyber security budget.

At some point, every security team faces a budget that is too small to protect the organisation properly. At that point, understanding how the internal financial game works is crucial.

This article will cover five tips to help convince your decision makers to allocate more money to cyber security.

Tip #1: Speak Their Language

The first step in securing a budget for any initiative is to get buy-in from the decision makers—the board, the executive team, or a single executive.

This is easier said than done and there’s no single formula for success. However, there are some things you should keep in mind:

1. Focus on business language, not technical metrics. Talking about risk and loss prevention is more convincing than overwhelming decision makers with cyber security data.
2. Demonstrate the risk and potential impact of cyber incidents on your organisation. For example, the average data breach costs UK businesses around £3.5 million in 2021, which grew more than 20% from the previous year. Costs are naturally lower for smaller organisations… but not much lower. Organisations under 500 headcount still have an average data breach cost of £2.2 million. Educating your decision makers with figures like these from reputable sources can go a long way to adding credibility to your budget request.
3. Show how security can be an organisational differentiator. This is easier in some industries than others. If it isn’t possible, show why it is an essential cost of doing business, e.g., because the impact of a breach on customer trust would be devastating.
4. Showing is more effective than telling. If decision-makers don’t understand security, consider running them through a virtual exercise (e.g., a ransomware attack) that demonstrates how the threat could enter the network, what might happen next and what the outcomes could be. Then, show how your additional spending would prevent that.
5. Discuss risk in terms of threats your decision-makers are likely to have heard of, such as ransomware or supply chain attacks.

Only you can determine what your decision makers want to see in a business case. Network with colleagues across the organisation and find out what has (and hasn’t) worked in the past—then use the information to your advantage.

Tip #2: Make Security an Enabler

Over the last two decades, cyber security has developed a bad reputation as a function that:

1. Costs money for no discernible business benefit; and,
2. Actively blocks business progress by delaying key initiatives.

Let’s be real. Nobody wants to pump more money into a cost centre… and they especially don’t want to pump money into a cost centre that gets in the way of revenue-generating activities.

You need to get ahead of these stigmas.

Always aim to demonstrate how security can support business objectives and initiatives, not block them. Similarly, when asking for more budget, tie your request to current business initiatives and priorities and show how you’ll enable them.

For this to be possible, security leaders must ‘get out there’ at every opportunity and make connections across the organisation. They must also  proactively get involved with business initiatives and do everything possible to ensure the organisation is protected without causing unnecessary delays.

This isn’t a ‘trick’ to get more budget. It’s an operational model that will benefit the business… AND make it easier to get a budget.

Tip #3: Show How the Existing Budget is Spent

Security is a technical discipline and people who make budgetary decisions often don’t understand it well. That makes it difficult for them to know whether the money the organisation already allocates to cyber security is well spent… or whether allocating more is a good idea.

The simple solution is to maintain a set of easy-to-understand metrics that show how your security measures protect the organisation from cyberattacks.

There’s plenty of advice available on how to do this. Beyond the obvious performance metrics, here are a few things to consider, including:

• How security has enabled or supported key initiatives or objectives—a proven track record is always better than promises.
• Security has supported improvements to business-critical metrics (e.g., selling more products online due to higher website uptime).
• Anecdotal evidence of specific incidents that have been prevented, along with the potential implications of failing to prevent similar attacks in future.

Having a basic understanding of how people think and what influences them can be extremely valuable.

Tip #4: Explain What Extra Budget is Needed FOR

This is one of those tips that sounds obvious… but hardly anyone does it because they are too busy. It takes time to build a compelling argument—let alone a business case—and most security teams already have precious little of that commodity.

Taking the extra time to explain your request can be the difference between success and failure.

Put:

“We need more budget” isn’t very convincing.

“We need £100,000 over three years to improve the organisation’s resilience to ransomware by implementing a more secure network architecture” is considerably more convincing, particularly if you can explain why your proposed measures will make the organisation more secure.

Tip #5: Find Out What Similar Organisations Spend on cyber security

Benchmarking is generally given more merit than it deserves. Knowing what a competitor or industry peer is doing is one thing, but if you don’tthe information isn’t useful understand why, the inform, executives and boards typically place a high value on benchmarking—particularly if it’s provided alongside other types of information—so it’s worth including if it helps your business case.

As a (very) general rule, most organisations spend between 10% and 15% of their total IT budget on cyber security. If your organisation spends markedly less, presenting this information to your board or executive team can help make a case for greater investment.

Naturally, the more specific benchmarking data you can find, the better. It’s not always easy to find budgetary data in a particular industry or geographic area, but if you can, you certainly should use it to your advantage.

If you can’t find financial information, look at stats in your industry that show where organisations fall in terms of maturity in key areas such as Zero Trust. If your organisation seems to be behind in a high-profile or high-risk area, that can be a compelling argument for investment.

It’s a Game—Learn How To Play It

In an ideal world, budgets would be allocated perfectly to reflect the needs of each organisation. Sadly, we don’t live in that world.

Decision makers do their best, but can’t be experts in everything. They tend not to be cyber security experts—it’s a supporting function and usually not part of the core business.

To obtain a bigger budget, you’ll have to help them understand why cyber security is critical for your organisation and what will happen if it’s not funded properly. You’ll have to learn how to ‘play the game’ within your organisation. Security practitioners often find this difficult, as they come from technical rather than management backgrounds.

But if you take one thing from this article, let it be this. As a security leader, perhaps the most valuable thing you can do for your organisation is raise the security profile.

If you can do this consistently, you’ll find it much easier to acquire the needed budget and protect your organisation from evolving cyber threats.