getting your security budget approved without fud
Post on 19-Oct-2014
846 views
DESCRIPTION
Getting a security budget approved is a challenge, but it is arguably the single most important task a security leader can accomplish. This session reveals the six common factors that successful CISO’s use to quantify needs and justify security budget with non-technical executive leaders. Research and data gleaned from over 40 interviews with high-profile CISO’s provide some interesting results.TRANSCRIPT
SESSION ID:
Getting Your Security Budget Approved Without FUD
CISO-W04A
John B. Dickson, CISSP Principal
Denim Group @johnbdickson
#RSAC
Why Is Selling Fear So Compelling?
u Is it like selling insurance? u The security industry is struggling
for parallel models and metaphors u FUD Distorts the Process
2
#RSAC
CEO
CFO
CIO
VP Development
Development
CISO
Security Leaders Are at A Structural Disadvantage
u They have a staff advisory role and not a “line” operator role
u They have different world views that drive their perspective
u They talk differently u They have less power
3
#RSAC
The Key Principles of Selling Security
1) Exploit Pet Projects
2) Account for Culture
3) Tailor to Your Specific Vertical
4) Consciously Cultivate Credibility & Relationships
5) Capitalize on Timely Events
6) Capture Successes & Over-Communicate
4
#RSAC
1) Exploit Pet Projects
Always bundle security into CAPEX or other critical projects as defined by the CEO
5
#RSAC
2) Account for Business Environment
Radically adapt your “Request for Resources” to your organization’s culture and risk appetite
6
#RSAC
3) Tailor to Your Specific Vertical
7
Tailor security requests to your specific vertical, sub-vertical, & sub-sub vertical
#RSAC
4) Capitalize on Timely Events
Use near-death experiences of others to justify security spend
8
“You never let a serious crisis go to waste. And what I mean by that it's an opportunity to do things you think you could not do before.”
-‐ Rahm Emanuel
#RSAC
5) Consciously Cultivate Credibility & Relationships
Credibility and relationships must be established prior to “Making A Security Ask”
9
#RSAC
6) Capture Successes & Over-Communicate
Document security wins and communicate these successes so they become the new operating norm
10
#RSAC
Conclusion
Successful security leaders exhibit certain consistent approaches to get their security budgets approved – without using FUD!
1) Exploit Pet Projects
2) Account for Culture
3) Tailor to Your Specific Vertical
4) Consciously Cultivate Credibility & Relationships
5) Capitalize on Timely Events
6) Capture Successes & Over-Communicate
11
Q&A John B. Dickson, CISSP [email protected] @johnbdickson