How the top CIOs get security budget from the board

Show boards the headlines when other organisations get hacked, and if all else fails, get hacked yourself

Ask a CIO what keeps him or her up at night, and the chances are that they'll say it's the threat of a security breach. There are few faster ways to the job centre for a CIO than their organisation making headlines for leaking data, whether through a hack, or a malicious or incompetent insider.

Computing recently moderated a conversation between dozens of CIOs at its IT Leaders Summit to find out how they set their security spending, and how they try to set board-level expectations around the amount of spending needed, and the likelihood of their organisation being targeted.

The conversation was run under Chatham House rules, so whilst the quotes and sentiments are reported accurately, names of people and organisations have been withheld.

One CIO from the financial sector said that his organisation is moving away from simply attempting to prevent cyber attacks.

"We're moving more towards detection, and are looking to improve employee behaviour when it comes to security. You have to assume you've already been hacked."

Another CIO agreed with the idea that every organisation has already been hacked, but disagreed with another who suggested that there could be safety in numbers.

"I'm not convinced your job's safe if you're breached, just because everyone else has been too. I'll make that point to the board as I'm being shown the door," she added.

One IT leader in retail made the point that tightening up an organisation's security doesn't have to equate to increased spending.

"We're starting with business processes, trying to fix those internally first. If we find any holes we can't plug otherwise, then we might look at new tools. But the point is you can improve processes at no or low cost, and my CFO doesn't like spending money - the same as everyone else's CFO."

The CIO from the financial sector made the point that the level of security spending is a board-level, not technology-led decision.

"The investment depends on the risk appetite of the business, so it's a business decision. They have to decide how much they want to de-risk their operation. And GDPR has helped push that conversation up to board level, it's one of the best things to happen for data security."

Whilst one of the goals of security teams is keeping the organisation out of the headlines, there was a feeling amongst the group that the steady flow of breaches making their way through the press is helpful in terms of raising awareness.

"Our board aren't especially IT literate, so you deal in headlines. We talked about Wannacry to our board, and that real stuck with them and helped us."

Another CIO said that their insurer helped them raise their own level of security investment.

"In order to qualify for our insurance we had to answer a series of questions around our security. We had to invest in order to be able to answer them properly, so that actually helped us," he said. He added that more firms should use insurers to assess their current level of security competence.

"More firms should speak to insurers about their security. Insurers are great at risk assessment, it's what they do. And they'll effectively do that for you for free, because it means you buy a policy at the end."

One IT Leader from the hospitality industry said that additional investment in her organisation came from being hacked.

"We had one minor breach where someone gave his password away stupidly, so they got into his account. Then we had a more major breach where someone clicked a phishing link and then the Loki virus spread across our entire estate and locked all our data away."

She added that despite the inconvenience, the firm refused to pay the ransom.

"We didn't pay the hackers. Instead we deleted everything and restored from our backups, which worked perfectly. But it did help drive additional security investment to stop it happening again."

Another CIO agreed, citing the importance of backups.

"It's as much about working out how quickly you can come back from a breach or other issue, than it is about ensuring it won't happen. Because it will happen."

IT security failings are, increasingly, costing CIOs and CEOs their jobs. With business utterly dependent on IT, it's not enough for senior executives to dismiss security as ‘techie stuff'.

At Computing's Enterprise Security & Risk Management Live event, hear from the National Crime Agency, ex-hackers and big-business CISOs to learn about how they are tackling cyber security.

For more information, check out the dedicated event website. Attendance is FREE to IT leaders and senior IT pros.