What do you do when there are conflicts with stakeholders over cybersecurity budget priorities? How do you ensure everyone understands the reasoning behind funding decisions?
Sort by:
It's about focusing on business outcomes. Cybersecurity isn't a tax or burden; it's an enabler of safe operations. Our customers expect quality and cybersecurity is a part of that quality assurance. Using data to demonstrate the probability of achieving desired outcomes helps. Under-investing or over-investing in cybersecurity both have potential negative outcomes. By showing the minimum viable capability and the benefits of further investment, we can illustrate the risks we mitigate.
It's essential to go back to the basics: identifying the threat, risk and impact. Stakeholders, especially in critical infrastructure, understand the consequences of not investing in necessary solutions. If a lack of investment could lead to a $30 million loss due to a breach, asking for $200,000 becomes an easy sell. Simplifying the explanation of threats, risks and impacts helps eliminate conflicts.
It really comes down to effective communication. It's crucial to ensure all stakeholders understand why we're investing in a particular solution or strategy. Instead of focusing solely on technical details, we need to present security risks in terms of potential business and financial impacts. This approach helps stakeholders across departments grasp the importance of the investment. For instance, if we're migrating to cloud services, we must explain the business reasons behind this move, such as agility or development scenarios, before delving into technical solutions like tools for CSPM or identity management. By focusing on business impact and financial considerations first, we can align everyone and resolve conflicts through discussion, respecting all opinions.
Communication is key, and understanding the escalation path for resolving conflicts is also crucial. Ultimately, our objective must align with the strategic goals set by senior management. These priorities guide our discussions and decisions. When disagreements arise, we refer back to our core priorities, ensuring they drive our strategy. This becomes our filtering process to determine where to invest and what to defer to future years.
If you start from the initiatives and involve stakeholders early on in the selection, PoC, pilot phased they will back you in the priorities and thus cybersecurity budget priorities, at least from my experience.
Gartner's Protection Level Agreements (PLAs) proved invaluable during our discussions with stakeholders. We prioritized our initiatives and leveraged the PLAs to facilitate meaningful engagement. While it initially took some effort to convey the rationale behind funding decisions, repeated conversations eventually helped stakeholders understand why certain projects were prioritized.