IANS released its latest findings on budget-related best practices for information security leaders to consistently command the budget and resources they need.
“It’s part of the CISO’s job to transition from unsupported to being fully supported, but that can only be done when the stage has been properly set within an organization,” said Doug Graham, CSO at Nuance Communications. “This research report from IANS goes beyond the numbers and uncovers some of the underlying and contributing factors that can help CISOs win the battle and set the stage for a stronger security posture within their organization.”
To keep the research enterprise-focused, only responses from representatives of organizations with full-time CISOs and annual revenue higher than $500 million were included. Half of the enterprise CISOs surveyed (49 percent) have annual security budgets between $1 million and $5 million. One in four (25 percent) have between $6 million and $10 million to spend, while roughly the same number (22 percent) report budgets larger than $10 million.
Most CISOs allocate the biggest budget share to people and technology, with 43 percent on people and 36 percent on technology. The remaining 21 percent include professional services, outsourcing and other budget items. Two-thirds of CISOs indicate that both headcount and operating expenditures are areas of budget growth to which the company is most sensitive.
The fiscal battle zone
Today’s CISOs all have one thing in common: the pressing need for funding to keep their security programs vital. Information security leaders must continually compete to win the resources required to go beyond the InfoSec basics and proactively manage risk. Worldwide IT security spending jumped nearly 8 percent in the past year to top $90 billion, and it’s forecast to climb above $113 billion by 2020, according to Gartner.
Despite promising numbers, however, executive decision-makers now want InfoSec costs inexorably linked to business value and return on investment. While some CISOs consistently command the budget and resources they need, others continue to struggle.
“Somewhat surprisingly, a number of Fortune-level companies with household names have CISOs who struggle to secure the appropriate levels of funding,” said Phil Gardner, CEO, IANS Research. “Although metrics are powerful, several CISOs expressed to us that when it comes to securing budget, it’s more important to deliver a narrative that business leaders can understand. CISOs who can deliver a compelling narrative on how InfoSec powers the business will advance their objectives, increase their stature and win the battle of the budget.”
Credibility, trust and influence
Trust and credibility are the bedrock of CISO effectiveness. Two camps of CISOs emerged during the study – the Supported and Under-Supported. 38 percent of respondents considered themselves Under-Supported, while 62 percent described themselves as Supported.
Under-supported CISOs are expected to get the same products and services for either the same (42 percent) or less money (32 percent) as supported CISOs. Ultimately, Under-Supported CISOs are under more pressure and face more scrutiny for ongoing spend. Only 26 percent of Under-Supported CISOs said their ongoing spend is “pretty much left alone” and that inflationary increases are accepted.
The difference between the two had little to do with company size or industry and more to do with an organization’s culture and CISO selection process.
The most Under-Supported CISOs responses include:
- Suffer from a lack of corporate support.
- Rely more on technical explanations than on business justifications for budget requests.
- Are forced to fit spending into larger budgets like IT and their discretionary spending is tightly controlled.
- Are still in the early stages of risk prioritization and their metrics reporting lacks depth and context.
Meanwhile, corporate reporting lines keep these Under-Supported CISOs several steps removed from the organization’s most influential leaders.