- Best Prime Day robot vacuum deals to shop in October 2024
- Best Prime Day smartwatch and fitness tracker deals to shop in October 2024
- Best Prime Day deals under $100 to shop in October 2024
- The $13 Amazon Smart Plug is the best smart home deal for October Prime Day
- Grab the HP Victus 15 gaming laptop for $450 with this Best Buy anti-Prime Day deal
Why IT leaders are putting more business spin on security spend
Over at media creation and editing technology provider Avid Technology, Dmitriy Sokolovskiy, its CISO and CSO, uses NIST’s Cybersecurity Framework to measure the maturity of his security processes, and the Center for Internet Security’s top security controls for specific tactical guidance, which, he says, highlight, low-hanging fruit that businesses can easily address in their infrastructure.
Applying caution with benchmarks
Several CISOs were skeptical about using benchmarks to compare their security spend with others. That’s because, they say, companies may define security spend differently or have different needs. They also say benchmarks often don’t describe how and why organizations allocate their security budgets. As a result, they use benchmarks as a rough guide to budgeting, relying primarily on their own risk assessments.
But Kim warns CISOs against refusing C-level requests for benchmarking. “It’s not unreasonable to ask for a benchmark,” he says. “A chief financial officer couldn’t say, ‘We can’t compare our earnings-per-share with others in the industry.’” Provide benchmarks, he says, but as one part of a wider explanation of how your security spend compares with others, the challenges the organization faces, and how you’re reducing the total cost of ownership of security over time.
“CISOs should describe current threats and attacks,” says Pecha, and supply alternatives to remediate them. It’s then up to the board and the C-suite to decide what’s acceptable and what needs to be done to manage the overall risk to the business, he says, because only they have the clout to drive change.
Insisting a business executive formally accept a business risk, even in writing, often convinces them to agree instead to the proposed security spend. When Sokolovskiy has insisted such signoff, “Without fail, so far the business unit was actually driven to lower the risk themselves because they own it,” he says.
A business-focused approach can also spur efforts by security and business teams to identify opportunities to increase efficiency and save money, says Christensen, such as by eliminating redundant systems and processes. “With business alignment, you have no choice but to find unique and innovative ways to solve problems that are generated by how the business operates,” he says.
