Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Sunday, April 21, 2013

10 tips to secure funding for a security program

Ask any cyber security specialist what their biggest challenge is, and you will get a variety of answers — ranging from strengthening network security, to managing internal threats, to protecting against cyber espionage. But upon further investigation, you may be surprised to learn that the unanimous pick for the biggest challenge cybersecurity professionals face is simply getting the funding necessary to carry out a security program. There are a great deal of resources and technical support available on how to deal with the never-ending list of threats that arise daily; and we have plenty of opportunities to learn and digest security best practices. However, little information or guidance is available to prepare one for the dreaded budget discussion when new or continued funding is necessary to maintain a strong cyber security posture.


In all cases, good communication was the critical ingredient for success and resulted in the necessary funding, over a period of years, to establish and maintain a workable security program. To start the budget discussion, you must stress cost avoidance rather than profits and you will need hard, empirical evidence to depict the business risks and associated costs. Therefore, the best way to approach senior management to fund your cybersecurity program is to cast the expenditures using an ROI approach.

1. Set the foundation for security funding before you need it; and once established, keep it strong.
2. Don’t use scare tactics.
3. Establish your cybersecurity credentials within your organization.
4. Relate your security risks to the business.
5. Outline the need in plain English.
6. Develop a plan that meets the security needs but also considers financial constraints.
7. Once you get the funding, follow the plan you outlined.
8. Provide constant feedback on the security program.
9. Use outside resources to support your request.
10.Always emphasize that cyber security is not an “information technology” issue — it is an organizational risk management issue.


Posted on 04/21