Security Budget Battle: Arm Yourself with These Questions
The other person would answer back the "password" and, based on what answer they gave, would either be admitted though the gate, or they would be chased away. The guard's job was simple -- protect the entrance, thus the entire city or castle was safe. The guard answered to the head of the guards, who answered to the city's leader, or the castle's king.
The previous example paints a simplified picture, but shows what path security reporting should take - no dotted lines, no matrixed reporting chart; just a line drawn straight from the Chief Security Officer (head guard) to the board or CEO's office.
So, what's the best thing to take into your next budget meeting with your favorite CFO?
The ultimate decision-maker should be the one in charge of everything. But let's be really honest: Who among you has that direct line of reporting? Well, I know that I never saw a direct line of reporting yet that didn't have at least one detour.
One detour many institutions' CISOs or Risk Officers take is through the Chief Financial Officer's office. The "decider of budgets" AKA the "guy who signs the checks." Are these people interested in security? Sure, most will tell you, as long as it doesn't cost the institution a lot of money. You're having to justify every dollar or person you have on staff, and you want more money? Good luck.
So, what's the best thing to take into your next budget meeting with your favorite CFO? It's not the box of cookies as peace offering to make up for the last grudge match/budget meeting. How about taking in a list of things that will make your cost-conscious CFO sit up and see the monetary implications to the institution's bottom line if they DON'T spend money on security? That list is 50 questions that CFOs would want to ask themselves about risk and probability of financial losses. And "Loss" is a four-letter word that no Chief Financial Officer wants to hear or see on any report.
The list of 50 questions at "The Financial Impact of Cyber Risk" can be found on the American National Standards Institute's website. It was introduced last fall as a joint release by the ANSI and the Internet Security Alliance. ANSI oversees the development of consensus standards for products, services, processes, systems and personnel in the U.S. and coordinates with international standard makers. Some examples of ANSI standards are the standardization of computer programming languages and how character values in digital computers are represented.
Here are some sample questions:
Forward your CFO or other key execs a copy of these 50 questions and sit in the office while they review the document. Key words that jump off the page are words like "legal exposure," "regulatory compliance" "cyber security events" "company reputation" "customer loyalty" "shareholder value" and my favorite -- the one I just know that any CFO worth their title will pay attention to - "financial loss." That's the word that makes them reach for their acid relief medication. These words are just on the table of contents page! Along with the 50 questions, the rest of the document is chock-full of charts to help them calculate the probability and severity of financial loss from both the risks and the actions to mitigate them.
Let me hear from you about your CFO's reaction (or your senior management) to these 50 questions.