How can CISOs influence budgeting decisions?

This blog was posted by Guest Blog

Creating Exceptional Experiences

Dan Crisp, Senior Technology Leader

About Dan Crisp

Dan Crisp is the founder of Digital risk Insight, a technology risk strategic advisory consultancy. He began his career as a technology merger & acquisitions analyst at Citi. Subsequently, he led the technology risk, cyber risk, and Basel programs for JP Morgan Chase in the US. Dan went on to serve as Chief Operations Officer for Barclays Global Information Security in London.

Dan also served as the CISO and Chief Technology Risk Officer for BNY Mellon with technology risk, cybersecurity and data privacy oversight responsibility at BNY Mellon Corporation and its affiliates and subsidiaries. While there, he led the innovation, development and deployment of a global technology risk regulatory controls and analytics system for technology and privacy risk.

Many decision makers overestimate their company's cybersecurity defenses – ‘no news is good news’ and they may not be enthusiastic about allocating more budget to protect themselves. One of the biggest barriers experts in my line of work find is convincing executives that doing nothing allows cybercriminals to gain advantage and potentially is putting the company at peril.

I believe that there are several strategies which can be used to get past organisational resistance and convince decision makers to investment in Information and Cyber Security:

1. Reframe success metrics - what worked before is no longer effective

It is an arms race, what used to work doesn’t work six to twelve months later, you’ve constantly got to be thinking about upping your game and getting that across to non-technical people is essential. For want of a better analogy – executives need to understand that they can’t simply buy the car and then continue drive it for a decade - without servicing it - just because they don’t want to spend further money or buy a new one.

Use problem statements to help push back on the status quo and facilitate conversations as to why what you’ve always done is no longer good enough. Here is an example:

“Our information security management system requires reassessment and transformation to ensure continued effective protection for our clients and the company.”

2. Benchmark with peers to challenge assumptions about the adequacy of cybersecurity investments

For example, when the Travelex breach occurred in London other currency exchange companies wanted to make sure it didn’t happen to them. There were questions like – what was Travelex’s Cyber Security footprint? What was their approach to risk management? How did it compare to their own company and therefore, how likely was this to happen to them?

4. Refine your presentation approach

Keep the focus on the risk to the organisation (operational, reputational, regulatory, litigation, etc.)
Present in non-technical language
Use storytelling to illustrate the risk
Create a sense of urgency. Inaction is dangerous.
Leave a strong document trail leading to the person(s) who grant budget
Always provide a follow-up email regardless of the meeting outcome

You want to leave a strong document trail, and I call that the smoking gun, where it’s been explained in layperson’s terms and is abundantly clear to the budget granter – this is what’s at stake...

5. Use the three-slide technique

Problem statement
Risk storytelling
Solution with costing

The discovery of the three-slide technique is a defining moment in my career. When I was working for a bank, we had a Big 4 consultancy firm provided us with a 40-slide presentation deck, which we spent quite a bit of money on. We were to use these slides to present our justifications to the board for asking for exponentially more money. The CISO I worked with at the time said she didn’t want to use them. She only wanted three slides. One explaining what the problem was. The second was to be the scary slide – explaining what would happen if they didn’t address the problem. The third was the solution and cost. It was so powerful and effective that we got the funding we asked for. I have gone back and used this technique, incrementally, for projects and programme fund raising with great success.

6. Use narratives to illustrate the risk of inaction

I have found the use of narratives incredibly powerful. We used to call those the scary slides i.e. here’s an example of something that has happened recently and here’s why it might happen to you.

News headlines cause decision makers to take action — even if it's short lived
Storytelling activates sensory centers in the brain that make people relate to the story on a personal level — it places them inside of the story
Storytelling is extremely powerful when it comes to marketing and other forms of communication

Use storytelling to demonstrate the risk, create a sense of urgency and leave them with the impression that you have laid this at their feet, with all of the risks and consequences outlined and now the decision is in their hands.

You almost want to worm into a person’s thinking so that they wake up in the middle of the night thinking about what you’ve laid at their feet. You want them thinking - what if we have a cyber-attack and I’m the budget granter who said no? That said, it’s important to use storytelling to convey the drama for you- you want to portray yourself as the calm and collected person who has the plan.

A helpful the trick for me with the storytelling is to make them as scared as you are and no more. If you’re stretching your own fear, it's going to be transparent. Remember...you are competing for finite resources and budget. The best storytelling wins the day and the funding!