Cover Image for 5 Tips for IT Budgeting: How to Map Business Outcomes to Cyber Priority
Blog

5 Tips for IT Budgeting: How to Map Business Outcomes to Cyber Priority

11.02.22 | By Ascent

A Gartner survey[1] found 72% of business executives are mapping cybersecurity investments to business outcomes. That’s a telling percentage—and a key insight into cyber value conversations. Technologists often pushback on a C-suite assumption: cybersecurity measures only expend capital, but they don’t add anything to a business’ output.

That’s an honest assumption on one condition: if IT only argues for cybersecurity measures without communicating supporting business value, why shouldn’t executives decide to deprioritize cybersecurity investments?

Instead, we recommend technologists frame the problem in business terms to executives. Learn to speak from your executive’s business-value perspective and present solutions solving their motivating pain points.

So how should IT teams justify cybersecurity spending at the business level?

  1. Know your audience

Threat intelligence is an essential control to cybersecurity, but it’s more specific to detailed decision making than C-suite level approval. Instead of only leveraging headlines and CTI reports to justify budget investments to your executives, start with a business proposition.

Begin by suggesting a more cost-effective approach to threat mitigation than cyber insurance—a managed SOC—and then support by explaining how a SOC could help your IT team identify threats most probable to your business.

  1. Articulate your audience’s concerns

Take time to articulate two security principles you might have taken for granted but your board doesn’t. Outdated infrastructure can be a security risk, and security consolidation reduces endpoint vulnerability while saving money. Acknowledgement of both points reminds your executives you are aware of the concerns important to them. Consulting partners like Ascent can advise how to secure a hybrid or legacy environment in the most efficient and secure way.

  1. Answer your audiences’ pain points

At a broad level, most executives must avoid gaps in business continuity, proprietary information or data theft, damage to public image or reputation, and a higher Total Cost of Ownership (TCO) than operational capacity.

Communicate the value you place on your executives’ priorities by explaining how cybersecurity reduces or prepares the organization for a breach. Securing a food processing plant’s infrastructure and increasing identity security ensures the business’ supply chains operate without incident.

A marketing agencies’ reputation means email security may be a top priority to avoid a threat actor’s access to email lists and confidential client information.

Considering each situation for your organization with a broader, sensitive outlook could lead to more productive conversations.

  1. Suggest a data-supported solution

Case studies aside, your executives likely value data-supported recommendations on how to expand or simplify cybersecurity budgets during a recession. We recommend firms modernize existing infrastructure, consolidate software platforms and applications, and optimize current, up-to-date solutions.

Approaching your environment with a past, current, and future view ensures your team isn’t impulse buying new technology without maximizing the infrastructure your team already maintains.

  1. Present the outcome

Once you have organized your recommendations, make sure to highlight their value for your executives. Reflect the past state of your organization’s tech stack and briefly summarize what you have accomplished and where you hope to expand your strategy for the upcoming fiscal year. Presenting your executives with a short list of essential cybersecurity controls to allocate budget against, written or explained in their language, will make a difference in your organization’s path forward.

We’ve studied the data: cybersecurity isn’t just a cost vacuum. It’s an essential operational control for business goal achievement. Ascent provides free Security Outcomes Sprint discovery sessions, evaluating and prioritizing your cybersecurity portfolio. We work with you to communicate your proposed investment through jargon-free rationalization so you can walk away with an expert-informed path forward. Reach out to info@meetascent.com for more information.

 

[1] Resources cited: Heyman, Ayelet. “Tech CEO Insight: Convey Business Outcomes in Cybersecurity Value Propositions,” Gartner.com. August 10, 2022. ID G00771576.

Share this Post
Whether you’re starting your cybersecurity journey or you’re improving your security posture, our team is passionate about protecting your people and business.
content
Blog
A Year in Review: See How our 2022 Cyber Trends Performed

December 7, 2022 – We’re reviewing Ascent CIO Jason Floyd’s 2022 cybersecurity predictions, pausing for a moment before 2023 to see how close we got.

content
Blog
Customizing Your Security Stack: Coding with MITRE ATT&CK

November 29, 2022 – Technical instructions for retrieving and implementing raw MITRE ATT&CK data into your tech stack.

content
Article
How to Smash Your Zero Trust Success Metrics

November 21, 2022 – IT teams that base their Zero Trust strategy in hard science and data analysis are well-positioned to create an effective plan with measurable KPIs.