Just as the emergence of the pandemic has focused our thoughts on health and well-being, the rise in lockdown-related cyberattacks has sparked increasingly urgent conversations about cybersecurity. Boards of directors of organizations of all sizes are now more open to the idea that security is a necessary component of modern businesses. There are indications that budgets may soon match needs.
A recent PwC survey of organizations in the Middle East showed a strong willingness to increase security budgets. 58% of respondents expected their spending to increase this year, up from 43% in 2021. And 31% thought the budget increase would be 10% or more. Indeed, of those surveyed, 43% said they expect the number of reportable incidents in 2022 to exceed last year. Amid this spike in incidents, there is an increase in the number of government-mandated standards for data collection, storage, and use. The United Arab Emirates Personal Data Protection Act is one such regulation.
Despite these changes, chief information security officers (CISOs) still need to close the gaps between understanding and expectations. Security managers can spread industry verbiage like zero trust, secure access service edge (SASE), or security service edge (SSE) throughout the day. However, without a business case that directly equates to increased revenue or reduced costs, securing funding for a security project is difficult.
A new type of message
CISOs need to find a way to explain their proposal in terms their business-oriented colleagues can relate to – cost of procurement, expected benefit (in monetary terms, if possible), and likelihood that the benefit will be delivered with hit. The “probability” part is a particular challenge, as it involves calculating the risk levels of different types of events. And failure to convince decision-makers may result in risk being accepted rather than invested in eliminating, mitigating or transferring it.
When positioning cybersecurity in the age of hybrid working, CISOs should characterize it as an enabler, no different from cloud computing itself. With the proper implementation of zero trust, the cloud becomes an environment where innovation is faster, costs are lower, and employees can collaborate from anywhere. It’s a message that can move the needle when trying to get buy-in.
To make their case convincingly, CISOs need to have a deep understanding of their costs. For example, the total cost of ownership (TCO) must include more than the price of the software. There are countless hidden costs such as internal man-hours (including the coverage implications of running a solution 24/7), training, and consulting.
Square pegs, round holes
Another factor to consider is whether the security solution being considered integrates with existing technology. The board will want to know how the new system may affect (both positively and negatively) operations. As part of this discussion, the CISO will have a big advantage if they are able to present a deployment plan that has minimal downtime.
In modern complex multi-cloud environments, it is essential that any purchased solution integrates with all systems and does not disrupt operations. And it’s critical that the new solution doesn’t require a lengthy setup process or extensive training, as both will increase costs and lengthen the time to value.
Disruption to operations is a classic hidden cost and can often slow down a project. Telling a compelling story in the world of technology should always include selling points such as speed, efficiency and ease of installation. If resources are minimally impacted during the journey to value, this may be the nudge needed to convert some doubters.
How SSE sells
The CISO needs to show the board that there is an answer to the issues that keep them awake at night. Technology like SSE – the security side of SASE – unifies security services like Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Zero Trust Network Access (ZTNA). Why is this important? Because it reduces risk through a streamlined security posture.
When organizations can deploy a single, easy-to-use platform and provide complete visibility and unified controls, users are safer, data is more secure, networks are better protected, and the organization takes a big leap forward. conformity. By consolidating security and networking functions, SASE enables organizations to fully adopt the cloud with a simplified path to zero trust.
The business benefits of these approaches come from the consolidation of security tools. Network and connectivity costs are reduced and operations are made smoother. Reduced complexity means less work needed to make tools work, freeing up security and IT teams to focus on more innovative tasks.
While many other factors – personalities, externalities, skills, available budget – can still get in the way of that all-important ‘yes’, CISOs who create the right narrative are more likely to get the resources they need to do so. what needs to be done. and build a more secure digital heritage.
Bahaa Hudairi is Regional Sales Manager – META at Lookout
Read: What every CISO should do in their first 100 days: Gartner
Also read: A CISO’s guide to planning for cybersecurity in 2020 and beyond