The Golden Vector: How to Lobby for Your Cybersecurity Budget
We help security teams state their case to management every day. Frequently, those who reach out to us usually must go ask permission to buy something before finalizing the deal. This doesn’t always go as intended on their end, however. According to Cybersecurity Dive, more than half (63%) of security leaders don’t feel that they have sufficient budget to invest in the right technologies.
Plenty of people would benefit from learning how to state their case better and hone their ability to lobby for cybersecurity budget. Let’s take a little time, dear reader, to explore what we’ve learned so far.
Introducing the Golden Vector
Everyone seems to have their own clever quadrant or chart or infographic to explain themselves these days, so we came up with our own. We call it the “Golden Vector,” and it’s a way to describe what it takes to be effective at obtaining the cybersecurity budget you need.
As demonstrated by the empty quadrant graphic above, this approach involves a balancing act between two different kinds of maturity: Logical (on the x-axis) and Emotional (the y-axis). For the rest of this post, we’ll refer to Logical Maturity interchangeably as “hard” skills, and Emotional Maturity as “soft” skills. The idea here is to raise your levels of both Logical and Emotional Maturity to the point that they meet in the verdant green pastures of the upper-right quadrant (which we won’t call the “Magic Quadrant” since I think that’s probably trademarked).
Logical Maturity (The Hard Skills)
Here, I’m talking about the logical context of stating your case. You’re walking into a room, or you’re on the phone with somebody, and you really want to get good at selling the idea of a purchase. To your credit, you’ve got a pile of numbers. You’ve got data to show them. You’ve got different reports. But how good are you at stating your case logically, and what tools do you use to state that case?
You might be tempted to resort to the first hard skillset level of growth — fear, uncertainty, and doubt (FUD). This is essentially crying wolf. Anybody can walk into a room and start claiming that the sky is falling. It doesn’t take too much logical maturity or data.
On a higher level of growth, you can leverage analytics. You can pull metrics and other information from your existing cyber security or network tools and put them into a cohesive report to prove your point. This can be something along the lines of, “I’ve seen this many alerts or this many attacks target my network” or “I’ve had this many people click on bad links.” You can use this basic data as well as pull in outside news and reports to state your case.
A step up from there, you can turn to frameworks. I’m talking about the CIS Controls, HITRUST, and NIST’s cyber security framework, to name a few. The argument here is that frameworks constitute outside (i.e., objective) resources that you can use to support and rationalize the analytics you’re presenting. You can tell management, “This is what the experts are telling me. I’ve looked at it, and I’ve analyzed it. Here is where we are weak. Therefore, we need to purchase this tool.”
The final “hard” skill level of growth is risk. This golden point is all the rage these days in cyber security, with many companies talking about the need to take a “risk-based approach” by determining what’s important. Essentially, you build out a risk profile, you present that to management, management determines its risk appetite, and together, you allocate funding based on what constitutes an unacceptable risk. As such, organizations can prioritize their risks.
Let’s take a look at our graph again …
As your Logical Maturity grows, you move closer and closer to that green quadrant, but you can’t get there without some level of Emotional Maturity.
Emotional Maturity (The Soft Skills)
The truth is that you can’t get to a risk-based program on your own. You need the help of management and other stakeholders across the organization to determine what the risks are, which ones are unacceptable, and which ones are the most unacceptable. As such, you also need to incorporate those elusive “soft” skills – how you deal with humans – into your approach.
As with the hard skills, there are various levels of growth when it comes to emotional maturity. Once again, you could choose to start with FUD. But in terms of emotional maturity, it’s not going to get you very far. It’s childish, and it’s the least mature emotional perspective.
The second level of emotional maturity is storytelling. This tactic is more compelling than FUD in that you’re taking analytics and tying them to a story that applies to your organization or another organization that’s like yours. You’re making your case relatable.
Then there are relationships. You need connections and familiarity with your team. That’s why you need to forge relationships with management and other people in the organization so that you have an audience that’s willing to support you.
Finally, there’s trust. Management and other stakeholders all the way up and down the organization aren’t going to open themselves up and talk to people whom they don’t trust. If they don’t trust you, they’re not going to ask the right questions. They’re not going to voice their concerns. With trust in play, you can have the meaningful conversations that you want to have.
Now on our graph, we see both pieces of the puzzle:
Just like we stated above, even if you gained your organization’s trust, that won’t get you to the verdant green pastures without some hard skills.
Where the Average Influencer Stands
The end goal is to balance all levels of growth for both hard and soft skillsets equally. This raises an interesting question. Where does the average leader stand in this regard?
What we see in our experience – our existing customers and partners – is that the average influencer is not too bad at relationships. They’re somewhere between relationships and trust. This is usually based on experience and tenure. Trust takes time. Some of them struggle with upper management; they haven’t been there long enough to establish rapport.
As for the logical side of things – the “hard” skills – everybody’s pretty good with pulling analytics and data from their existing tools. This is the “go-to” approach for most people. And, we’re starting to see more and more use of the CIS Controls and other relevant frameworks to build their cases. But the fact remains that in the vast majority of smaller organizations, the idea of a risk-based approach is elusive, at best.
This places the average influencer close, but not quite in, the green quadrant. (“You-ish”, below.)
The Golden Vector
These are measures on which all security leaders can grow their efforts. Sure, the Golden Vector is where you want to be: Firm trust of the organization and a fully mature risk-based approach. (Unicorn, below.)
But you don’t need to be a unicorn and max out everything. As the thumbs-up on the graph shows, you can make it to the Magic Quadrant (oops) with a reasonable, attainable level of soft and hard skills; by building strong relationships and having the analytical chops to build out a cybersecurity strategy informed by frameworks.
How Do We Get to that Point?
Scott Smith, CISO for the City of Bryan, has some words of advice for security leaders who are looking to grow their Logical Maturity.
“If you can quantify a risk-based approach and present it to upper management, that is a solid plan,” he clarified. “It’s more of an art than a science. Current events can be used to demonstrate points, but you have to be careful of not over-playing that card and losing credibility.”
As for the soft skills – Emotional Maturity – security leaders can look to have one or two executive-level mentors off whom they can bounce ideas. They can also lean on an industry organization like the Texas Association of Governmental Information Technology Managers (TAGITM) to exchange ideas and get advice from others. Finally, security leaders need to have the humility to delegate. This can be particularly useful when building out relationships and trust. Leaders don’t have to do this alone; they can leverage their own connections to create the network they need.
Budget is Just One Part of a Broader Effort
Up to this point, we’ve discussed the Golden Vector as applies to cybersecurity budgets. But the importance of the Golden Vector extends way beyond just financial resources. Getting management to accept your budgeting proposals is really just a side-effect of a good cybersecurity strategy that is based on building trust in the organization and creating a risk-based approach. Simply put, build trust and focus on risk, and the money will come.
Ted has worked with network security and web technologies for almost 30 years, beginning his career as a full-stack web engineer and transitioning to network security. He now guides Nomic and its supporting initiatives, including CINS Active Threat Intelligence.