As we enter the budget season again, it is amazing to see how much content is being created to justify the importance of cyber security investments. This has become difficult to match with the experience of field experts. As the world has experienced a non-stop wave of cyber attacks over the last decade, many companies have had to make tough decisions.
Cyber-attacks are no longer considered a matter of risk, but a matter of certainty. As a result, the attitudes of senior executives have shifted regarding their cyber security budget amounts.
Many companies have been forced to ask themselves if they are spending enough of their budget on cyber security. Not too long ago, the only question was concerning if they needed cyber security at all. Times have changed drastically because of the increase in technology.
In many cases, a company’s board no longer needs to be convinced that cyber security is required. Instead, they need to be given assurance that their investments will be executed properly.
Board members and senior executives have been there before when it comes to cyber security. They would have spent millions on tech vendors and consultants over the years just to see a fresh-face chief information security officer (CISO) coming back with a new strategy and a new cyber security budget.
As a result, many new CISOs have to change their narrative when it comes to addressing board members’ and senior executives’ concerns regarding cyber security. The focus on it has been on tactical initiatives. Not many of these are truly transformative.
The focus of today’s CISOs must be on protecting the business from threats that are real and imminent. Having the right context is very important for a successful strategy and execution. It can start with identifying areas where the previous investments were not successful or where there is a need for further investment.
Having the right context and the right people can help define and execute transformative initiatives that can be delivered in real life. The CISO’s role should also take him or her into other fields of expertise, such as culture and governance. The board should own the cyber security agenda and should be able to drive it top-down, in terms of understanding and managing the various roadblocks.
Each company’s board should no longer be convinced that cyber security is a requirement. Instead, it should be focused on delivering on expectations and finding the best cyber security budget for their needs.