Once upon a time in a company far far away
Several years ago, in a different organization, my team and I successfully implemented a Vulnerability Management program. It was a massive undertaking, taking over a year to complete and sizable budget. Our goal was to continuously scan over 100,000 devices and automate the reporting of findings to relevant teams. The project went beyond reporting by actively collaborating with teams across the organization to address and remediate vulnerabilities.
Naturally, management was keen to understand the results. This project was a significant investment, driven by the need to enhance our security posture, meet compliance requirements, and manage the increased workload for IT and engineering teams. As expected, we identified numerous vulnerabilities in such a large environment and established a process for remediation.
The following year, I requested a budget to acquire a tool for scanning application vulnerabilities. This seemed like a logical step given our software development activities. To my astonishment, the COO responded with, “Last year we gave you budget to buy a tool that told us how bad we are, now you want to buy another tool to tell us how much worse we are?”
Back to the drawing board…
reflections and lessons learned
Clearly, I hadn’t effectively communicated the tool’s value to the COO. He was a smart guy but my initial request framed the investment as “We need more budget to buy things to tell you about more things you should worry about”. Ironically, this is a common tactic used by security vendors, who often emphasize “visibility” while conveniently overlooking the increased workload.
I firmly believe in proactive security measures, but it’s essential to clearly communicate the benefits and risks. Whether you’re a vendor pitching to a CISO or a CISO seeking budget approval, consider the following:
Is the investment needed to Grow the Business, Optimize Cost, or Reduce Risk?
- If the answer is none of these, it might not be the right investment.
- Demonstrating alignment with all three creates a compelling case.
- At a minimum, one of these criteria should be met.
Here are few examples:
- Certify for SOC-2 Type 2: Many organizations will require you to have a SOC-2 to do business with you. So can easily be categorized as “Grow the business”. Of course you will also need to consider the cost vs. the potential business value.
- Implement a Vulnerability Scanner: If you are seeking a SOC-2 certification, then CC7.1 requires “To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.” so this can be categorized as “Grow the business” and also “Reduce Risk” by detecting and remediating exploitable vulnerabilities.
- Implement Breach and Attack simulation technology: The goal of a Breach and Attack simulation technology is to test the effectiveness of your defenses, so it can be categorized as “Reduce Risk”, but also it can help detect ineffective or redundant defenses, so it can be categorized as “Optimize Costs”.
While there are numerous factors to consider, framing the investment in terms of business value is more effective than relying on “best practices” or “compliance mandates” especially when communicating with non-security stakeholders. Security is a risk, like any other business risk. Aligning your request with the organization’s goals will improve the chances of securing necessary funding.
I’m curious about your experiences. What strategies have you found successful for justifying security investments?
