CISOs often can have an arduous time getting budget. To top it off, they are tirelessly thinking about how to improve security programs, justify what they are currently doing, and getting the budget they need for next year. When it comes to improving budget, CISOs need to trade their technology hat with a colleague in the sales or marketing department.
When it boils down to it, a CISO is not technology provider, but rather business solution provider. This can sometimes be a hard realization to make. Especially after spending the first part of your career immersed deep in the technology weeds. For the new CISO, and even seasoned veterans, it can be a challenge to learn to sell and market your ideas (and get funding from) the various stakeholders within the company. It is imperative for the CISO to market and sell the security side of the house to the business at large to get what they need.
Speak Their Language
Not too long ago, the CISOs job was to walk to the C-suite and say, for example, “Hey, we need encryption and key management. Give me the budget and I will go make that happen.” Back in the day, they would usually get the money. Now it is more about building relationships and having a business problem to solve.
With times changing, now it is important to better understand what technologies the stakeholders are hearing about and how you can leverage their knowledge of current security events to bolster your security program. Many of the stories that in the past would have been exclusive to publications like CSO Online and Krebs on Security are now showing up in places like Forbes, Businessweek, and the Wall Street Journal – places where your stakeholders go to get information.
When we look at what is being covered by the mainstream media, it is stuff that security professionals have had to deal with for years, but was relatively unknown to the upper echelons of the company. When security admins talk about data breaches, they talk about SQL injections or the best practice for data protection and how to manage a database – IT vernacular.
It is important to remember that the executive team doesn’t speak your language. When they talk about someone impersonating the CEO via email and exposing W2 information, they don’t know that this is called a “phishing attack.” Security professionals know this, but that isn’t what they call it in USA Today. You have to understand how to make those connections and draw those lines for people.
Sell and Market Your Program
You will have an opportunity from time to time to engage stakeholders for 30-seconds to 2 minutes. When you have those chances for an interaction, you need to sell your program. You need to practice it and have it come across very natural and as you would normally talk. Some suggestions:
- Talk about the great things that you are doing and that you want to do more of it
- Make sure that they understand your successes
- Don’t talk about stuff that doesn’t matter – that is not how you get a budget
It is also important to have various elevator pitches, depending on who you are going to be talking with. For example, if you have 30 seconds with a CIO or director, the pitch is going to be different for each one, because they care about different things. Remember, when you talk with them, it has to be about something that they care about. The secret to success is to sell your program and the services of your group. Don’t just talk about building a security kingdom, but rather business solutions.
Often, when you think about selling, you think about selling to the CFO or even the board. You don’t often think about it, but you do in fact have to sell to the SOC (Security Operations Center) manager or other teams or lines of business within the organization. You may not be asking them for funding, but you need to get them on board so that when you do go to whoever you need to make the big pitch to, they will have your back. It is a much easier sell when there is a choir of voices saying, “Yeah, this is what we think that we need. This is the solution that we want. We have already bought into the fact that this is what we need.” If you can get 3 or 4 other directors from different lines of business backing you, you will be much more successful at actually getting funding than if you were to say “This is what I think is needed” and the board replies “What does the SOC manager think?”
If your funders still need more convincing, compliance regulations can often help your cause. Regulations like PCI DSS and HIPAA (as well as others) are constantly evolving, going through review and update, and bringing in stronger language and more stringent security demands. PCI DSS, in particular, carries a big stick. Whether you love it or hate it, it can often get you what you need because your business has to comply if they want to take credit cards.
External audit findings can also help propel your security program forward. When they come back negative, business risk has been identified – and business risk speaks very loudly to the C-suite. It is in their charter to acknowledge business risks and take appropriate actions.
Finally, and unfortunately, there will be times that you are simply told “No, there just isn’t budget for _______.” But what you can do, because you are a smart CISO, is go into your backup pitch. Just because you didn’t hit a “grand slam” doesn’t mean that getting a “single” or a “walk” is out of the question. Your “walk” should be the absolute bare minimum needed to move your cause forward, at least a little. Even the guy that gets walked is going to score from time to time. If you can take a “walk” and deliver something with it, you are going to further gain the trust of your funders and establish a positive track record for delivering on time and on a budget.