Tip 1: Quantify risk
The first step in building a defensible budget is putting numbers on the risks you’re trying to control. As a CISO, you immediately understand that your organization needs things like enhanced endpoint detection, a zero-trust architecture and a proper security operations center, but when you bring those things up in the budget meeting, the board’s eyes glaze over. It’s not that they are dismissing cybersecurity — they just don’t understand how these technical investments connect to the business outcomes they care about.
That’s why you should use financial terms to quantify your organization’s value at risk. Boards are more likely to accept your budget if they can understand the financial implications of a breach. Of course, this can be a difficult task if you haven’t experienced a breach before. You can start to understand your risk surface by researching your industry’s most common threats and breaches, consulting threat intelligence sources and interrogating your vendors’ cybersecurity postures to understand your third-party risk. You can also gather probability data on a breach through industry reports, government statistics and historical internal incident data.
However, the most accurate and influential approach is to survey your own experts and stakeholders, including them in the quantification process. You can find tools to do this manually or automatically. Using either approach, you can calculate the overall business impact of your risk, including direct financial losses, business interruptions and long-term business and reputation effects.
