Getting Your Security Budget Approved Without FUD

1,257 views
1,099 views

Published on

Getting a security budget approved is a challenge, but it is arguably the single most important task a security leader can accomplish. This session reveals the six common factors that successful CISO’s use to quantify needs and justify security budget with non-technical executive leaders. Research and data gleaned from over 40 interviews with high-profile CISO’s provide some interesting results.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,257
On SlideShare
0
From Embeds
0
Number of Embeds
53
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Getting Your Security Budget Approved Without FUD

  1. 1. SESSION ID: Getting Your Security Budget Approved Without FUD CISO-W04A John B. Dickson, CISSP Principal Denim Group @johnbdickson
  2. 2. #RSAC Why Is Selling Fear So Compelling? u  Is it like selling insurance? u  The security industry is struggling for parallel models and metaphors u  FUD Distorts the Process 2
  3. 3. #RSAC CEO   CFO   CIO   VP  Development   Development   CISO   Security Leaders Are at A Structural Disadvantage u  They have a staff advisory role and not a “line” operator role u  They have different world views that drive their perspective u  They talk differently u  They have less power 3
  4. 4. #RSAC The Key Principles of Selling Security 1)  Exploit Pet Projects 2)  Account for Culture 3)  Tailor to Your Specific Vertical 4)  Consciously Cultivate Credibility & Relationships 5)  Capitalize on Timely Events 6)  Capture Successes & Over-Communicate 4
  5. 5. #RSAC 1) Exploit Pet Projects Always bundle security into CAPEX or other critical projects as defined by the CEO 5
  6. 6. #RSAC 2) Account for Business Environment Radically adapt your “Request for Resources” to your organization’s culture and risk appetite 6
  7. 7. #RSAC 3) Tailor to Your Specific Vertical 7 Tailor security requests to your specific vertical, sub-vertical, & sub- sub vertical
  8. 8. #RSAC 4) Capitalize on Timely Events Use near-death experiences of others to justify security spend 8 “You  never  let  a  serious   crisis  go  to  waste.  And   what  I  mean  by  that  it's  an   opportunity  to  do  things   you  think  you  could  not  do   before.”     -­‐  Rahm  Emanuel    
  9. 9. #RSAC 5) Consciously Cultivate Credibility & Relationships Credibility and relationships must be established prior to “Making A Security Ask” 9
  10. 10. #RSAC 6) Capture Successes & Over-Communicate Document security wins and communicate these successes so they become the new operating norm 10
  11. 11. #RSAC Conclusion Successful security leaders exhibit certain consistent approaches to get their security budgets approved – without using FUD! 1)  Exploit Pet Projects 2)  Account for Culture 3)  Tailor to Your Specific Vertical 4)  Consciously Cultivate Credibility & Relationships 5)  Capitalize on Timely Events 6)  Capture Successes & Over-Communicate 11
  12. 12. Q&A John B. Dickson, CISSP john@denimgroup.com @johnbdickson

×