In the years before business leaders truly understood cyber risk, requested budgets for cyber security departments were often approved without thoughtful consideration or review. There was a day when CISO’s could basically say to a CIO, “I can’t tell you how much safer this will make us, and I can’t say we absolutely won’t have a data breach, but I need 3.5 million dollars.” Most of those inflated numbers were driven by the desire to buy the latest security tools that vendors promised would solve all security problems. The funds were to be spent, generally, on products and the staff to support them.
CISO’s can no longer expect to have large annual budgets approved without tangible, quantified data to back up the necessity. The days have passed when budgets were built on fear, uncertainty, and doubt (FUD), empire building, or opportunities to buy the trending tools. Security funding needs to produce measurable results, or at a minimum, be supported by credible metrics that validate the business needs.