This article is the seventh in a series of articles by NAV CANADA Vice-President and Chief Information Officer Claudio Silvestri about talking to your board about cybersecurity.
Define and lay out your investment and initiative roadmap, and what strategies they support
If you are an IT leader at any level, laying out your roadmap and investment requirements should be nothing new. You are likely used to developing roadmaps that outline a series of investments over time that aligns to the priorities and business objectives of your organization.
While developing a cybersecurity roadmap should not be any different in terms of the process used to identify, describe, and seek approvals for funding, there may be additional or different things that would help ensure a clear understanding of why you are asking and what the expected outcome will be.
Assuming your organization is like most IT organizations, funding is not infinite, and you are probably competing for your own budget in terms of new spending. A request for millions to replace your SIEM can be a hard sell against investments to increase sales or improve customer satisfaction. Your VP of Sales may not even know what a SIEM is, let alone be willing to reduce the investment priority on new sales tools to increase the effectiveness of the sales organization.
The other reality is that when describing the business value for investments to avoid or minimize risk, it’s easy for organizations to defer investments that don’t directly support corporate goals, especially in the private sector.
There are a few things you can do to increase the likelihood of getting funding approval to support your roadmap:
- Have a separate and distinct cybersecurity roadmap. Don’t blend your cybersecurity roadmap into your other functional or operational plans. It could get lost in the other things you are asking for, and face more direct competition from other spending requests from across the company.
- Don’t describe your cyber investments with “IT speak.” This is one of the most common mistakes IT leaders make when asking for funding on things that are not directly aligned to the priorities of the functional leaders.
Everyone knows what a Sales Force Automation system does and what value it can create for the sales organization and its management. That is not the case for many of the behind-the-scenes technologies necessary to support a healthy and resilient IT infrastructure.
Have you ever tried to describe the value of a WAF and why you need one? Or why you need to spend $2M to re-architect your network and establish a DMZ? This not-so-pretty conversation becomes uglier the moment you use “WAF” or “DMZ” in a sentence.
Do not describe your funding request in any technical jargon or lace it with acronyms that few business executives understand. Describe your cyber investments in terms of functional value and risk mitigation impact.
Turn a sentence like “Redesign the data network to create separate network segments by implementing a DMZ” to “Establish a layered network to help prevent a security breach by isolating our critical computing infrastructure and corporate data.”
No one really cares how it’s done. They only care that you are asking for investments to help protect company assets from harm.
- Very clearly align your roadmap to your maturity level and gaps in capability. Taking the time to assess your current and target state maturity level, and document your capabilities heatmap, will put you in a great position to develop a series of logical investments that align to both.
IT roadmaps are often laid out primarily in a chronological fashion. While helpful from an IT program or resource planning perspective, it is not as helpful as when it is laid out on the basis of function or outcome.
Learn to create investment “swim lanes” in your cybersecurity roadmap that align to your maturity or capability requirements. For example, you might a have an investment category called “Business Continuity” or “Network Security.” In each, you could then describe a specific initiative that requires funding, when you plan to do it, and how it supports the longer-term outcome of achieving your target maturity level.
Next article in the series: “Cybersecurity essentials – Response and return-to-service“