Selling an Increase in Cybersecurity Spending to Your Board

Among the interesting findings in Nuspire’s annual study of CISOs and IT decision-makers for 2022 was the continued struggle to secure the budget required to deal with the current threat landscape. Despite growing knowledge about cybersecurity and recognition of its importance among board members, competing business interests often lead to budget shortfalls that hinder potential improvements to a company’s overall security program.

Selling an increase in cybersecurity spending to board members has never been easy. Cybersecurity funding is a defensive strategy, and it comes with the perennially tricky task of quantifying a return on investment. Furthermore, board members get asked to approve funding for many other important business areas, initiatives and projects throughout the year.

So, how can CISOs or IT decision-makers secure an increase in cybersecurity spending to board members? This blog offers some tips.

Change How You Think and Speak About Cybersecurity

Taking a high-level overview of the problem at hand, securing increased funding for cybersecurity is basically an internal marketing campaign. The “buyer” that you’re marketing to is the board members. Empathy for their perspectives can drive better outcomes through more refined messaging, and this empathy starts with changing how you think and speak about cybersecurity.

Eliminate jargon

The temptation when you have expertise in infosec is to speak in the language of that world. Unfortunately, cybersecurity is awash with jargon and technical terminology that quickly gets tuned out by a non-technical audience. This terminology ranges from the prevailing threats and attack vectors to the latest shiny solutions designed to keep the bad guys out.

It’s pivotal to switch your mindset to that of a business leader rather than a cybersecurity professional when trying to secure a heftier cybersecurity budget. Rather than diving into the latest malware variants and zero-days, keep in mind the language of profit, financial impact and risk that board members truly care about.

Procuring the best technical solutions is obviously central to the success of security programs, but don’t let your passion for cybersecurity lead to a myopic focus on the nuances of various solutions. Instead, always speak in the language of risk mitigation as the best way to secure that all-important budget allocation.

Focus on risk in monetary terms

An easy mistake to make is talking about risks in a context that board members don’t really resonate with. This is particularly important when presenting metrics to help make your case for increased investment. Instead of mentioning the number of cyberattacks or incidents prevented, express risk in terms of monetary loss or savings. This helps better depict cybersecurity investments as investing in the future of the company and it ties cybersecurity into the achievement of business goals.

Weave data into a compelling story

Ultimately, the challenge in selling an increase in cybersecurity spending boils down to being able to appeal to emotions. A stereotype of board members is that only hard data and robust analysis appeal to them. But more important than the data when it comes to selling anything is the ability to connect on an emotional level with an audience, whoever that may be.

The best approach is to weave relevant data, metrics and charts into a story that resonate with the C-suite. As for what kind of story resonates, it’s perhaps useful to try and paint a picture of how the business might look if certain elements of the security program are more adequately funded than their current state. While it’s easier to appeal to fear, uncertainty and doubt (FUD), a more positive slant that focuses on say, increased customer trust or other positive impacts on the company’s future direction could prove more fruitful in winning your audience over.

Use An Objection Handling Framework

While changing how you speak and think about cybersecurity will definitely make your pitch more persuasive, board members may still have objections. Without adequately preparing to handle and overcome those objections, your hard work to secure more cybersecurity spending can fall flat. An objection in this context is any statement a board member makes that demonstrates an unwillingness or hesitancy to use the company’s budget in the way you’re proposing.

Any successful salesperson quickly learns the importance of getting past objections during their negotiations. A good attitude to take toward objections is that espoused by author and salesman Brian Tracy, who says, “treat objections as requests for further information.” Some of the commonly encountered objections to selling an increase in cybersecurity include:

• “Haven’t we already invested in this?”
• “We just don’t have the budget for this.”
• “The need doesn’t seem pressing given that we’re yet to suffer from a serious breach.”
• “The current direction of the company is on growth, not on defensive measures that preserve the status quo.”
• “Surely there are cheaper ways to overcome this problem?”

An objection-handling framework is a useful tool you can borrow from the world of sales negotiations and apply to your efforts to get a greater chunk of the company’s annual budget allocated to infosec purposes. A popular framework is LAER, which has four simple yet powerful steps for handling objections:

1. Listen—it’s vital to actively listen to what board members are saying. Effective objection handling starts with truly understanding the objection rather than preparing canned responses.
2. Acknowledge—this step is all about expressing empathy and validating the concerns of the objection.
3. Explore—make the objection handling process a dialogue by asking open-ended follow-up questions that further explore the objection and help you better prepare a response.
4. Respond—try to answer any concerns expressed in a thorough way, perhaps even using data or social proof to strengthen your answer.