Threatonomics

Building a Defensible Security Budget: Part I

Part One: Making your CFO a Cyber Resilience Advocate

by Rob Brown , Sr Director of Cyber Resilience
Published

This blog post is the first of two supplements to the first webinar of our webinar series “How to Build a Defensible Cybersecurity Budget.” 

As a next-generation cyber risk company, our primary goal is to help our clients build resilience against cyber threats. This includes understanding that their risk goes beyond technical challenges. Achieving cyber resilience includes spending money in the wisest ways possible, which means allocating budgeted funds in both a risk-adjusted and risk-tolerant manner. This requires submitting your budget for controls and capabilities in the financial and economic terms of the people who will ultimately approve your budget. These people are the money people— the CFOs and controllers who sign checks— and you must learn to speak their language in a compelling way.

How do these “money people” define a defensible budget? These individuals think about defensible budgets in the following way:

A defensible security budget is a set of allocated costs that serve the strategic objectives of the organization based on a choice of controls that maximizes capital efficiency in an uncertain world.

Allocated costs support actions intended (but not guaranteed) to carry us to a goal. Strategic objectives relate to why an organization exists at all, and capital efficiency relates to the wise and productive use of cash in a risky world.

Combined, this implies that a defensible budget is one that we understand (ironically) to be at risk of failing to achieve its objectives, but not as risky as budgets based solely on technical wish lists and compliance measures alone. No one can ensure that your budget will achieve its goals and objectives, and wishful thinking is not allowed. This is why Resilience has established our cyber risk quantification framework, which allows us to provide a responsible measurement of the risks of failing to achieve the objectives we desire. With that in mind, we can plan proactively to offset and mitigate those risks. The measurement of risk ultimately lives at the heart of a defensible budget to show why it is superior to alternatively motivated requests for a budget.

Identify the Primary Objective: Maximize Shareholder Value

To think like the money people, we first need to think in terms of their objectives. Their primary objective is to maximize shareholder value. This might be controversial in today’s world of focusing on stakeholder value, but shareholders represent a pivotal subset of all stakeholders. Their goals are important enough to function as a filter for any budget approval.

To appeal to the money people’s concerns, we need to ask, “what objectives support maximizing shareholder value?” The easiest suggestion might be simply maximizing revenue. 

Revenue is the top line fundamental contributor to shareholder value. It’s the source of contribution to the profit and loss statements from which all other costs are subtracted, and the financial contribution which we hope to retain as much as we can.

Breaking Down a Primary Objective 1

The next fundamental objective to consider is “minimizing operating costs.” Of course, we don’t mean to indiscriminately lower costs, but rather lower the required costs of doing business effectively. We also call this “right-sized costs” or “optimized costs.” Keep in mind that if nothing else changes in the strategic intent of the organization, eliminating waste or unnecessary costs represents a good direction to take.

Breaking Down a Primary Objective 2

Taken together, increasing revenue and minimizing operating costs are obvious objectives because they speak to what commercial organizations do: seeking profit. The next two fundamental objectives might seem a little more esoteric, but they are just as important. 

One of these next two key objectives of building a defensible security budget is “maximizing capital efficiency.” What is capital efficiency? It’s related to the wise use of cash, or capital, to accomplish desired outcomes. Sometimes this objective is referred to as maximizing economic profit, and refers to managing investments informed by the risk-adjusted net benefits obtained by the investment. We say capital has been used wisely when we attempt to invest, for example, $100 with the anticipation of eventually making back $150, or $2000. But if we attempt to invest $100 with an anticipated return of less than $100, or even worse, not knowing what the returns might be, then we’re being foolish with the allocation of funds. Money people hate the foolish use of funds. 

Breaking Down a Primary Objective 3

The last objective we need to pay attention to is the “integrity of the treasury.” The corporate treasury represents the funds that are set aside to support the cash requirements of daily obligations. But it also serves to provide a financial cushion in times of crisis. This cushion, the reserve, is where we draw funds for stormy days. The defensible budget serves to limit the impact to this reserve by handling any realized risks that escape our control.

Breaking Down a Primary Objective 4

Now that we understand the primary and fundamental objectives of the money people, we need to think about the capabilities we want to achieve through the implementation of controls. Understanding what we want to achieve and the cost of achieving it supports the realization of the four fundamental objectives of building a defensible budget. 

For example, we might consider starting with the base capabilities outlined in the NIST Cybersecurity Framework. Given that we start with those capabilities, we need to consider our four objectives and connect the dots for the money people. The goal is to demonstrate a plausible pathway by which these capabilities flow through and support other intermediate business objectives on the way to maximizing shareholder value.

Breaking Down a Primary Objective 5

Connect the Dots from Value at Risk to Business Fundamentals

To begin this decomposition of capabilities and objectives, the first step is to understand our Value at Risk. We should ask ourselves, “What is it we stand to lose? What needs to be protected?” If we can answer those questions, then we can brainstorm the capabilities that we need. We then begin a series of iterative questions focused on increasing layers of hierarchically important achievements. What do those capabilities achieve?

Why do we work to achieve threat mitigation? Because it protects the supply chain. Why do we need to protect our supply chain? Because it helps us maintain ongoing business continuity which enables the business purpose.

Breaking Down a Primary Objective 6

Other goals and pathways can develop from threat mitigation, such as achieving compliance. Why do we want to achieve compliance? Because it enables us to activate the system of trust, without which would preclude us from doing any business at all. In this simple, yet incomplete, decomposition, we’ve clarified for the money people how a subset of capabilities support their fundamental objectives of supporting revenue at a reasonable cost. The remainder of the exercise requires that we connect the dots to capital efficiency and treasury integrity.

Breaking Down a Primary Objective 7

This mapping exercise is very important in helping develop a narrative to defend the quantitative justification for your budget. This provides both you and the money people line of sight from the capabilities you intend to implement or expand to the strategic business objectives they are entrusted to pursue and achieve. Ultimately, clarification across lateral business units helps you enable communication between the finance and security silos that can hamper efforts to build cyber resilience.

To review the full webinar or others within the series follow this link

About the Author
Rob Brown , Sr Director of Cyber Resilience

Robert has over 25 years of experience in strategic planning and advising, working across startups, government agencies, and Fortune 100 companies. One of the masterminds behind our popular cyber risk quantification (CRQ) training series, Rob spent the last 25 years as a decision scientist and strategic consultant assessing value and risk tradeoffs for complex projects in oil and gas, manufacturing, homeland security, pharmaceuticals, asset allocation, and more. He is the author of Business Case Analysis with R - Simulation Tutorials to Support Complex Business Decisions (Springer-Nature, 2018).

You might also like

third-party cyber risk management

New Frontier: Cyber Risk Mitigation with Superforecasting

You’re a CISO, bombarded from all sides. New vulnerabilities emerge daily, vendors tout countless security solutions, and your inbox overflows with security alerts. Your skilled analysts are stretched thin, struggling to keep pace with the ever-evolving threat landscape. How do you make sense of it all? How do you prioritize investments, allocate resources, and make […]

third-party cyber risk management

Cybersecurity Essentials: The Role of Vulnerability Management in Building Cyber Resilient IT Systems

Navigating the complexities of cybersecurity requires a strategic approach to mitigate risks and safeguard IT systems. Central to this approach is vulnerability management, a systematic process that identifies, assesses, and prioritizes vulnerabilities within organizations’ infrastructure. Understanding what vulnerability management entails and how it contributes to preemptive cyber defense is critical.  According to a recent report […]

third-party cyber risk management

Mastering Cybersecurity Risk Metrics: A New Way to Think About Cyber Risk

Digital threats are not just possibilities but inevitabilities; understanding and calculating cyber risk is more than a precaution – it’s a necessity. Understanding cybersecurity metrics is essential to safeguarding and improving business operations. Calculating cyber risks simplifies complex issues and empowers professionals to communicate them clearly to improve their organization’s digital security. This requires a […]

third-party cyber risk management

Evolving Cybersecurity: From Risk Management to Cyber Resilience

With an astonishing 95% of cybersecurity breaches attributed to human error, organizations must educate, train, and implement a security foundation for all employees. This staggering statistic highlights the vulnerability of humans within digital infrastructures and underscores the importance of building a security-forward mindset into the culture of resilient businesses.   As cyber threats continue to lead […]

third-party cyber risk management

Counting the Cost: Understanding the Financial Risk of Cybersecurity Breaches

Cybersecurity breaches stand as a relentless challenge for organizations worldwide, causing substantial financial repercussions. As cyber threats advance in complexity, the economic impact on businesses intensifies, affecting everything from upfront costs to sustained financial health.  A thorough investigation into the financial risks posed by cybersecurity breaches reveals the breadth of direct and indirect expenses that […]

third-party cyber risk management

Rewriting the Rules of Cyber Security Risks: Part II

Building Cyber Resilience requires a new approach to assessing, measuring, and managing risk. Traditional thinking from both the security and insurance sectors views risk management in binary silos that either stop an attack or fail to prevent loss. However, the truth is that cyber security risk is significantly more complex. Being resilient to cyber security […]