Too often, cybersecurity teams find themselves in a reactive mode, limiting their ability to think strategically about cyber risk management and resource allocation. However, applying best practices can transform this chaotic nature of cybersecurity into well-orchestrated exercises. This aligns security teams with the business and turns the unpredictable fights against threat actors into more controlled and systematic efforts, empowering CISOs to feel more in control and confident in their roles.
Every company needs to follow defined planning cadences to set a rhythm for the business, such as the fiscal year, financial audits, board meetings, and other activities that may trigger related planning activities. By tying cybersecurity planning exercises to these business markers, you can automatically streamline communications and engagement with peers while establishing default cadences for the cybersecurity team. This strategic approach for building buy-in involves orchestrating how and when to use cyber risk quantification and significantly increasing the efficiency of your planning process, making CISOs feel more productive and effective.
Aligning Advance Planning with Practical Milestones
One key way for CISOs to improve their planning and elevate the cybersecurity function is to set concrete dates for cyber risk activities. By doing so, they can ensure that they are always prepared and organized for the planning activities that lie ahead, thereby enhancing the overall effectiveness of their cybersecurity strategies.
Completed Annual Budgets: Review the current cybersecurity posture and examine new requests for reallocations of resources. About 90 days before final budgets are due, examine your asset portfolio, security programs, and countermeasures. Using this baseline data, you can quantify cyber risk and run simulations to rank which risk mitigation projects will positively impact your organization’s risk posture.
End of Fiscal Year: Work with finance to understand available budget and ask for reassignment of unspent budget to cyber projects. After your budget meeting, schedule a time with your team to flag projects that could take advantage of unused funds during this short window.
Small, fast-turnaround capital projects are often the best targets. Select a project with a tight scope that you can execute on in 60 days or less. Some strong examples include upgrades, expansion projects, closing a compliance gap, or improving program maturity in a NIST control area. Justifying the benefit of the corporate budget and executing will increase your team's execution credibility over time.
Board Meetings: You should prepare succinct and crisp communications for all meetings. Summarize the outputs of risk quantification and planning exercises and report on program progress and areas for improvement. You can tell a clear story by describing trends, including improvements over time and emerging challenges. Compare the results from last quarter or last year, showing where you improved to reduce your loss exposure. Or show how things have improved on security initiatives since your last update.
Regulatory Updates: Provide a summary of the impact of new regulations, new projects, and any actions needed for compliance. Well-defined risks should have an associated dollar impact and a probability of occurrence. The quality of your posture against the regulation and against industry peers defines the probability.
Define the regulatory risk—how significant is the fine, and how well are you positioned to avoid being the focus of an investigation that could pose a risk to the business? Understanding the amendments to ever-changing regulations can be complex, but AI and Natural Language Processing tools simplify this task.
SEC Risk Reporting for Public Companies: Prepare data and narratives for SEC filings in collaboration with the legal, finance, and risk management groups, because your 10-K report will be under close public scrutiny. These reports require significant review regarding the company's reputation and share price. There is a fine balance between how much or how little information should be disclosed. Disclosure requirements must be satisfied, but you do not want to overshare and expose your security strategy to threat actors.
A 10-K form is filed annually, versus an 8-K filed when an incident occurs. 8-K filings are required within four business days following a material incident. Recently, companies have filed an 8-K as soon as an incident occurs while their teams work to establish whether the event is material. Tools for cyber risk management can accelerate this analysis, and having a methodology based on risk mitigation to evaluate an incident's materiality makes conversations with the legal and finance teams much easier.
Winning the Battle for Budget Dollars
Many organizations apply the “use it or lose it” approach to budget allocations. This means that for any unused funds at year-end, you might be able to shift the budget to your team for your valid project. Remember the catch here is that those dollars need to be out the door and spent before the end of the fiscal year.
As you prepare your cybersecurity investment plan, be prepared with solid justifications for cyber spending. At first, it might seem harder for cybersecurity to establish a business case and measure the return on investments compared to IT projects. For example, if you show up with a security presentation displaying 5 Greens, 2 Yellows, and 3 Reds and ask for a million dollars, it will not go well for your next year’s budget. That is why it is so important to translate technical security insights into real business metrics that are more relevant to the CFO and other business leaders.
As with any conversation involving risk metrics, know the differences between concepts such as Expected Loss, Value at Risk, or Most Probable Loss. And be aware that as you start showing up fully ready with justified projects, you will create pushback from competing groups. After all, you are vying for the same dollars that IT, Marketing, Sales, Ops, and other functions covet.
Also, be ready for the skeptics who will ask questions like, “These are just guesses from security. How can we trust these models?" or “What methods did you use to arrive at the guesses in your forecast?” By using cyber risk quantification tools to set cybersecurity priorities, you will have a quick response ready to go, such as, “We ran 10,000 Monte Carlo simulations using industry benchmarks for similar risks, along with the input from our team's actual security experience.”
Quantifying Risks to Optimize Budgets
CISOs can optimize their cybersecurity programs and budgets by quantifying cyber risks in monetary terms and prioritizing risk mitigation based on impact and ROI. By using cyber risk platforms, security teams can identify cyber risks with the highest potential financial loss and simulate the positive impact of risk mitigation. In this way, CISOs and CFOs can collaborate to justify cybersecurity investments, including cyber insurance.
Setting up annual, monthly, and weekly cybersecurity planning cadences should be highly tailored to the business. These plans vary year-to-year based on business objectives and the security environment. Cadence adherence enables the team to step out of the trenches and think more strategically. Advance planning can also become essential for better engagement and communications with business peers, supported by the cybersecurity function.
