Attention CISOs: Five steps to get the security funding you need

Going in front of the board to request or increase your security funding is no easy task – especially when the organization is facing budget restraints or, worse, the board does not agree with your sense of urgency in securing the organization.

If you’re about to make such a presentation, remember your focus should be describing your organization’s overall cyber security maturity, risks caused by company deficiencies, existing risk position based on current weaknesses, and proposed solutions.

To help you get the funding you need, here’s a five-step funding request template that you can follow.

1. Identify your valuable assets and risks caused by organizational deficiencies

Describe your company’s most important assets and how profitability and brand image can be negatively impacted by an attack on your computer systems

2. Prioritize and assess your organization’s current risks

Identify your company’s top five cybersecurity risks – those with the greatest potential impact on your organization – and assess your company’s strengths and weaknesses as well as acceptable risk levels in terms of people, information, processes, applications, and infrastructure.

3. Present your proposed security program

Describe your risk management plan in terms of:

  • Information asset management – What will a data loss prevention process and technology include?
  • Security maturity upgrade – How do you plan to strengthen your security governance regime, upgrade your information security management maturity, and establish a security assurance and reporting program?
  • Network resilience improvement – Why and how you should replace legacy network equipment and why and how you should isolate and better protect your most sensitive network segments.

For the best impact, visually present the most critical and highest-impact risks to the company in terms of:

  • Priority
  • Impact
  • Probability
  • Current countermeasures
  • Vulnerability
  • Threat
  • Asset’s name

4. Describe a security plan to address current risk levels

  • Present controls, such as buying and implementing services, licenses, development, configurations, support, etc.
  • Explain how to implement an internal, external, or combined data protection solution to increase detection capabilities and reduce the possibility of a breach involving sensitive information and lower the risk from critical to low
  • List the proposed control resources for each quarter
  • Governance model – Show why your strategy will be successful and explain responsibilities of the executive risk board, such as:
    + Sponsor and monitor program
    + Program maintenance
    + Methodology instruction for each project
  • Clarify positive post-strategy expectations:
    + Greater process maturity to improve performance management and target budget more effectively
    + Improved technical security for production resilience, improved collaboration within risk tolerance, and integration with subsidiaries

5. Call for action – Describe next steps for approval

Recommend that the board:

  • Note the current state of the organization’s security
  • Approve the strategy outlined
  • Set success and progress benchmarks for the governance and investment program