In a recent blog post, ‘5 Signs You’re Losing the Cybersecurity Battle’, we argued that a business could not patch every vulnerability facing it. Still, it can gain control by tackling the most critical ones. To do this, you will likely need an increase in your cyber budget for the year to cover any additional staff required and ensure you have the best scanners and prioritisation tools in place. But, of course, asking the Board for more money isn’t easy, so to give you the best chance of getting a bigger cyber budget, we’ve prepared some tips.
This will be the first question they’ll ask. The figure needs to be realistic if it’s to be taken seriously, but it also needs to be well thought through. An exact figure per month, per year or per project lifetime will be required, broken down into each element – staffing, tools, training, and any other costs.
Any holes in your budgeting will not be well received, so we recommend taking the time to go through previous budgets carefully to ensure everything is covered. In addition, if you can get time with a member of the finance team to discuss anything that isn’t clear to you or any financial constraints the business may be about to face, this would be even better.
Timing is crucial – you need to ask for a budget meeting months before the company year-end so that if they do grant you a bigger cyber budget, it is factored into the forecasting for the year ahead. Miss the opportunity, and the answer will be no regardless of how strong your case is.
Not only that, but it’s worthwhile taking stock of the company’s recent performance, the general health of the market and recent company reports to see where its priorities lie and if budgets are being increased or squeezed. Of course, IT security should always be a priority, but if money is tight, asking for a significant investment would be foolish.
The next questions they’ll have are how the increased cyber budget will be used and why you need it. Present clear arguments for the impact if no action is taken versus what can be achieved with the new resource and tools in place.
No matter how desperate you are for the extra budget, do not lie or exaggerate here. If you don’t meet the targets you’ve promised, securing additional funds in the future will be even more challenging.
Have evidence of the research you’ve undertaken to find the best tools and support for your needs. They may not need this detail, but it’s essential to be prepared just in case. The last thing you need is for them to ask why you’re not using another tool or taking a different route, and you don’t have an answer. They need to believe this has been a thorough investigation, and there is a real need for the money.
Demonstrate your confidence in the tools you wish to acquire by committing to regular reports to the Board which demonstrate the impact being made. Set their expectations about how quickly the new team members or tools will be up and running (after training and onboarding) and when results should be expected.
If the amount you’re requesting is likely to be considered substantial by the board, it may be that they can only grant a proportion of it. In this case, it’s recommended that you pull together a range of options for cyber budget increases for which you also have projected results. This will help them to understand and make an informed decision.
Make it clear which is your preferred option (the highest one) but that you would be very grateful for one of your other options and have done the research to determine the impacts these amounts would make.
You’ll likely be presenting your case to the FD or CFO who won’t be as familiar with IT terms and issues as you are. Make sure your case is presented in simple terms so that your audience understands but doesn’t feel patronised. Also, think about the details they’ll be most interested in – financial terms, notice period of the tools, any extra costs associated with their use, if there are any discounts etc. Come armed with all of this information and if a question comes up that you can’t answer, don’t guess. Say you’ll get the details to them as soon as possible.
Once the board has given their decision, act quickly and responsibly. If you’ve been granted the money you requested, ensure that you move forward with your plans as soon as the budget is available to avoid missing any of the targets you’ve committed to.
Alternatively, if your budget request was denied, ask politely for reasons why and when there will be another opportunity to present a case for a budget increase. This will ensure you’re even more prepared for next time.
We hope this helps. We’d love to have you on board with RankedRight this year.
By using RankedRight, teams save hours each day on manual triage, enabling them to get to critical remediation more quickly. You simply create users and assign them rules. Here's how it works.
Find out how to effectively set the service level agreement (SLA) for vulnerability management activities. Learn about the steps that are involved when setting levels of assurance and why these metrics matter.
While some risks can be mitigated with the right precautions, others are simply impossible to avoid. That is where risk acceptance comes in and RankedRight can help.
Are your vulnerability management services as good as you think they are? Try our checklist to find out.
Give your business the opportunity to engage with clients all year round by adding vulnerability management to your portfolio.