April 29, 2021

The Infosec Meme That Touched a Raw Nerve

One of our memes was reposted by The Cyber Security Hub, an infosec community with greater than 1 million (yes, it’s MILLION) followers on LinkedIn. The meme (see below) was on the topic of cybersecurity budgets and it was our tongue-in-cheek way to start a discussion. But we were blown away by the response it garnered in the community.Security Budget Meme

At last check, this meme post had more than 10,000 likes and close to 250 comments. The commenters spanned across infosec roles, industry verticals, and global geographies. And a majority of the comments were a variation of “[this is] all too common”, “sad, but true”, and “an unfortunate reality”. Interspersed were sentiments like “seen this happen in more than one company” and “Yes, and it also soon reverts back to the minimum possible [budget].”

This meme also got the creative juices flowing and some of the readers created their own versions of this meme:

Security Budget vs Data Breach Cost
Security Budget a week after breach

We know that it is less expensive to prevent attacks than it is to repair the damage after a breach. The 2020 Cost of a Data Breach Report found that the average total cost of a data breach is $3.86 million and moving in an upward trend. For larger companies and bigger data breaches this can run into the 10s and 100s of millions of dollars. Your CFO knows this, or should know this information.

We also know that the average time to identify a breach in 2020 was 228 days and the average time to contain a breach was 80 days. The math points to the irrevocable fact that it is imperative to invest in proactive cybersecurity measures. Then why is it that this is so hard for us infosec folks to explain this to the powers-that-be that are responsible for allocating our cybersecurity budgets?

One reason is that we are not asking for the budget in the right way.

Asking for Proactive Cybersecurity Budget

CISOs typically get 15-30 minutes to present to the Board of Directors or in the Audit Committee meetings and it is key to make the most of this short time. Boards usually consist of non-technical folks, so the best course of action is to present the complex topic of your infosec program using a simple, compelling story about risk to the business, backed by data.

If you are presenting to your board or audit committee for the 1st time, you will need to do a level set before you can do your ask. Here is a customizable PowerPoint template which follows the outline described below for your level set board meeting.

  1. Provide an overview on the overall risk landscape, including any notable data breach events at similar organizations and their costs. Explain why infosec risk is business risk.
  2. Discuss your infosec function’s maturity and progress towards your strategic objectives.
  3. Provide a snapshot of your cyber-risk organized along a couple of pivots, such as business units or sites. Use money units to describe risks – dollars, euros, yen, rupees… And show trends for your risk metrics against time.
  4. Explain to the Board the costs and benefits of achieving different levels of infosec maturity.
  5. Provide assurance on effective management of your strategic roadmap and answer questions about successes, setbacks, and recent changes in priorities.
  6. Your board cares a lot about efficiency, so be sure to explain your investments in cybersecurity automation, or plans/desire to make these investments.
Risk by Business and Attack Type
Risk by Business and Attack Type

After this 1st meeting, you will provide recurring updates to the board on some quarterly cadence. You can download a different PowerPoint template which follows the outline below.

  1. Set the baseline for the discussion with a quick summary of your last meeting
  2. Provide an update on the overall risk landscape, including any notable events.
  3. Highlight cyber breach risks that require immediate action, and your best estimates on the expected business impact. Again, use money units to describe risks.
  4. Remember to present your mitigation plan and explain how the board can help (by giving you the mandate to reduce risk and supporting your budget asks).
  5. Be sure to explain efficiency and future considerations of your proposed plan. Boards like it when you show how you are investing in platforms and increased automation.

Creating Urgency for Proactive Cybersecurity

As one commenter, a CISO posted on the LinkedIn thread, “We need to get them to understand the need [for proactive measures] without the painful process of recovering from a breach.”

Balbix customers use our platform routinely to generate widgets and slides for their board meetings. Please reach out to us to schedule a 20-minute demo of our platform, including the capabilities to map vulnerabilities and risk-items from the network level to the business level.

You can download a customizable PowerPoint template which follows the outline described above for your next board meeting here.

You can check out the original LinkedIn post here.

Related Posts

Blog
3 Questions Your Board Has About Cybersecurity
Blog
CISOs weigh-in on budgets, wish lists, and security as a business priority
WIshlist banner
Blog
A CISO’s Cybersecurity Wishlist