- The 35+ best Black Friday Nintendo Switch deals 2024
- Best Black Friday TV deals 2024: 75+ expert-selected deals on QLED, OLED, & more
- The camera I recommend to most new photographers is $180 off for Black Friday
- The fan-favorite 8TB T5 Evo SSD is almost 50% off at Samsung for Black Friday
- This Samsung projector is secretly the best gaming console you can buy, and it's on sale for Black Friday
Why IT leaders are putting more business spin on security spend
Over at media creation and editing technology provider Avid Technology, Dmitriy Sokolovskiy, its CISO and CSO, uses NIST’s Cybersecurity Framework to measure the maturity of his security processes, and the Center for Internet Security’s top security controls for specific tactical guidance, which, he says, highlight, low-hanging fruit that businesses can easily address in their infrastructure.
Applying caution with benchmarks
Several CISOs were skeptical about using benchmarks to compare their security spend with others. That’s because, they say, companies may define security spend differently or have different needs. They also say benchmarks often don’t describe how and why organizations allocate their security budgets. As a result, they use benchmarks as a rough guide to budgeting, relying primarily on their own risk assessments.
But Kim warns CISOs against refusing C-level requests for benchmarking. “It’s not unreasonable to ask for a benchmark,” he says. “A chief financial officer couldn’t say, ‘We can’t compare our earnings-per-share with others in the industry.’” Provide benchmarks, he says, but as one part of a wider explanation of how your security spend compares with others, the challenges the organization faces, and how you’re reducing the total cost of ownership of security over time.
“CISOs should describe current threats and attacks,” says Pecha, and supply alternatives to remediate them. It’s then up to the board and the C-suite to decide what’s acceptable and what needs to be done to manage the overall risk to the business, he says, because only they have the clout to drive change.
Insisting a business executive formally accept a business risk, even in writing, often convinces them to agree instead to the proposed security spend. When Sokolovskiy has insisted such signoff, “Without fail, so far the business unit was actually driven to lower the risk themselves because they own it,” he says.
A business-focused approach can also spur efforts by security and business teams to identify opportunities to increase efficiency and save money, says Christensen, such as by eliminating redundant systems and processes. “With business alignment, you have no choice but to find unique and innovative ways to solve problems that are generated by how the business operates,” he says.