“With confidence lagging in the process used to fund cybersecurity, executives say it’s time for an overhaul,” the survey concludes — and now more than ever in a year when budgets are being closely questioned as organizations pivot spending to adjust to new economic realities brought on by the pandemic and the forces of digital transformation.
What’s the problem? Too many CISOs can’t speak to the business about cyber risk in the financial terms the business demands from other operations leaders: justifying spending on a return-on-investment (ROI) basis.
Instead, they may fall back on benchmarking budget against industry standards – but as respected security blogger Phil Venables writes, benchmarks are misleading because:
“Your risk is not my risk
“Your business is not my business
“Your threat outlook is not mine
“Just because you and I spend roughly the same doesn’t mean we will get the same result, I might have different people, different issues, different established infrastructure and so on.”
Other CISOs may do what RiskLens co-founder Steve Tabacek describes as “spreading their budget across their domain like peanut butter spread evenly on a piece of bread” to ensure every area gets some coverage. “But that doesn’t meet the efficiency test. The depth of coverage for each one of these areas should be aligned to a formalized risk management approach.”
FAIR™ Cyber Risk Analysis on the RiskLens Platform: Better and Faster Budget Guidance
Factor Analysis of Information Risk (FAIR) is the international standard for quantitative cyber risk management; the RiskLens platform powers FAIR cyber risk analysis. With FAIR and RiskLens, CISOs can make spending prioritization and budget decisions based on a financial understanding of cyber risk–and get the data they need to support those decisions, faster and easier than ever before.
That applies to the typical budget categories for IT security spending:
A RiskLens Risk Treatment Analysis report
Here’s how RiskLens makes it easier and faster:
Factor in the cost of each risk treatment and you have a complete set of cost-benefit analyses that can be fine-tuned for your organization’s decision criteria, for instance, best return on investment for risk reduction, most risk reduction, treat or accept a risk based on risk appetite, and more. In other words, clear direction to make truly informed decisions on optimizing a cybersecurity budget – all at the speed that business demands.