As RiskLens President Steve Tabacek writes, “The winners of the infosec budget competition enter the process with spending proposals backed up by quantitative cyber risk analysis showing a return on investment in terms of risk reduction and support for the broader initiatives of the organization. Risk quantification sets you up to make your pitch for budget in the dollars-and-cents terms that the rest of the business operates on.”
We put together this package of blog posts showing how CISOs leverage quantification, the RiskLens platform and the FAIR™ model for cyber risk analysis to make their best pitch for budget.
In this blog post, Steve Tabacek, takes a reality-check approach to security budgeting: “Changes to most budgets are typically a few percentage points north or south of previous year allocations.” Start with the must-do, compliance-focused line items and approach them as risk-reduction opportunities, not just a shopping list of controls, Steve advises. Then make a funding pitch for initiatives that support the organization’s strategic initiatives.
This post by RiskLens CEO Nick Sanna flips the point of view to the budget approver. “CFOs can’t afford to take the attitude that cybersecurity is just a technical cost center, too technical for them to understand, and exempt from financial risk analysis,” Nick writes. Expect CFOs to ask probing, bottom-line questions that can only be answered in financial terms through risk quantification, such as:
- How much risk—or loss exposure–do we have, in dollar terms?
- Are we spending too much or too little?
- Are we focusing on the things that can reduce risk the most?
In this deep dive, Dr. Jack Freund, Risk Science Director at RiskLens and co-author of the FAIR book Measuring and Managing Information Risk shows how the budgeting process builds up from a thorough, FAIR-based review of your entire security program. That enables a CISO to demonstrate current state of risk and future states with application of controls leading to risk reduction, and repeated for each risk statement that’s tied to a budget item.
A RiskLens Top Risks Analysis Report
Aligning your budget requests to strategic initiatives of the organization make sense and here’s some detail on how to get there. In this case study, the RiskLens analyst gathered the top themes that the business believed represented the greatest strategic risk and ran them through RiskLens FAIR analysis, resulting in a ranked list of top cyber risks, based on loss exposure in financial terms.
Let’s get down to cases – what does an actual justification of a budget item look like, based on ROI of risk reduction, when run through a RiskLens analysis? See how one client used the RiskLens platform to run the numbers comparing three approaches to data loss prevention for employee email.