As cybersecurity inches its way to the top of the priority list for many executives across industries, organizations are figuring out how to secure the adequate funds for an information security program.
Researchers from Dallas-based Southern Methodist University examined the changing cybersecurity landscape and how boards are prioritizing security budgets. Researchers interviewed 40 executives from various industries, including healthcare, finance, retail and government.
For the most part, cybersecurity budgets are growing: 88 percent of participants said their budgets have increased, and the rest said their budgets have remained the same.
Here are four ways security and information executives reported boosting their budgets.
1. Develop a framework to articulate a message. Increased investment in security shouldn't necessarily be about keeping up with the latest technology. Instead, one CISO said presenting senior leadership with a security strategy and defined projects helps demonstrate the purposefulness of such investments. "Security has to be able to have a basis to argue its point of view in a compelling story with some thought behind it," he said, according to the study.
2. Suffer a breach. A CISO for a large retail company told researchers senior leadership was ready and willing to heavily invest in security after the company was breached.
3. Discuss compliance obligations, but don't rely on them. Organizations have to be in compliance with certain standards and regulations, such as HIPAA. However, compliance shouldn't be the key driver in growing a security budget. "Way too many programs are aligned around, 'What's the minimum thing I have to do to get a check mark? And if I get a check mark, I must be fine,'" said one CISO in the study. The study also found three out of four CISOs whose senior management team does not support their cybersecurity efforts said compliance arguments were how they tried to gain more budget.
4. Engage business units. Getting buy-in from business units requires CISOs to directly engage with business leaders. By demonstrating vulnerabilities to business owners and CIOs, it can make security risks more apparent. Then, business owners may be more likely to prioritize security funding.
More articles on cybersecurity:
Cybersecurity threats on the horizon: 10 insights from industry leaders
The single biggest driving factor for cybersecurity investment and 5 other takeaways from a CIO, CISO survey
Hiring a security chief? Avoid these 4 mistakes