Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityBanking/Finance/Insurance

Quantifying Risk & Security Funding: How Everyone Can Get What They Want

By Jason Rowland
Is Your Vendor Risk Management Program Working? - Security Magazine
June 25, 2019

Risk quantification has long been an imperative topic for security leadership, but now more than ever, boards of directors and C-Suite executives are acutely invested in how their organizations are performing from a security risk perspective. Publicity garnered from cyber events is at a greater scale than has ever been seen, as are the liabilities. While each level of leadership is playing for the same team, the focus and methods in which each comes to a “win” can be entirely contrasting. This begs the question, how can boards, the C-suite, and security leadership all get what they want in terms of quantifying risk, while ultimately working together for the long-term benefit of the business?

As we’ll see in more detail, quantifying risk not only allows security leadership to build a stronger, more holistic security program, but it’s a key step in acquiring proper security funding as well.

 

Start with The Inherent Risk

The first place to start in getting on the same page is to communicate a universal understanding of the security risks to an organization’s business objectives. This needs to be an ongoing conversation, as the risk landscape is ever-changing. For each business, this is always a little unique, because of the diverse verticals within different industries.

For example, an E-commerce company’s main operational risk may fall under “Availability Risks”, since their service not being available to consumers has immediate and measurable impact. However, a pharmaceutical organization’s priority most likely wouldn’t be availability of inventory, but rather “Information Risks”. The most valuable asset to their organization might be research and development around new drugs, therefore their greatest risk may be the loss of this intellectual property. Business-aligned conversations of this nature are the crucial component of ensuring buy in from senior executives as well as a prioritized and cost-effective security program.

sec 6-19 quantify article

The maturity of the business security program also needs to be frequently evaluated in order to remain relevant, or in some cases, gain relevancy. By comparing and analyzing the threat landscape, inherent risks of your business, and the security program maturity, leadership will be able to determine where any residual risk resides. Addressing residual risk with security program improvements is how to make meaningful risk reduction.

 

Respect Priorities

The CEO’s focus will typically have to do with the bottom line, as well as helping to manage public opinion and perception of the organization. As for matters of cybersecurity, this means that they will usually be more interested in the details around where their security programs reside, as well as making sure the program is as cost-effective as possible. Because they’re the ones “on the hook” for meeting regulatory requirements, they’ll want to be updated on any developments in their industry. The rest of the C-Suite will also be very interested in how they measure up against their industry peers and competitors.

While the destination is the same, the route of the conversation is going to be much different when speaking to the board. Compared to the C-Suite, an organization’s board of directors is going to want a much more succinct report on how the security program is operating. The level of depth and content is going to be much lower, since most boards are not typically as tech-savvy and have many business matters to decide, which is their primary role. They’re usually up-to-speed on existing industry and government regulations, but they should be kept in communication regarding the constant onslaught of new ones coming down the pipe.

This requires the cooperation of several different departments (CISOs, Legal, Data Privacy) in order to stay up-to-date. The board sees breaches in the news just as often as the rest of us, and they simply want to know how well-protected the company is against these threats.

Regardless of how the amount and detail in the information is shared, it should always stem from the same body of information: Where are our security gaps? Are they properly prioritized? How much will it cost to close any gaps?

 

Be Proactive with Security Framework Communications, and Tie Proposals Back to Business Objectives

For security leadership, a common hurdle in acquiring appropriate security funding stems from not having a common security framework report available. A simple summary explaining “This is where we are, and this is where we need to be” regarding their security program is often all it takes, and the mechanism for demonstrating this is commonly lacking in most organizations.

When speaking to the C-suite, security leaders have to be able to communicate security funding needs in terms of the overall business goals and objectives. Understand what risks threaten which business goals and objectives, and how additional funding will address those gaps. As a security leader it’s easy to get caught in the trap of over-explaining the security program at a technical level. In order to establish a holistic program, it’s critical to ensure that the explanation doesn’t lack in how the business objectives are supported.

The ideal way to pitch a security program to organizational leadership is always going to be: Business Goals & Objectives - Business Processes - Existing Operational Risks - Proposed Solution to Risk Gaps. Security leaders are also obligated to educate C-Suite and board members on the impact of being compliant with any and all regulations, such as HIPAA and PCI, as well as what the impact [GS1] of being out of compliance could be.

 

The “Holy Grail” of Security Funding

“Knowledge is a process of piling up facts; wisdom lies in their simplification” - Martin H. Fischer

The key to successfully acquiring security funding often lies in simplicity. The temptation to over-communicate technical information is rampant, and often causes even well-seasoned CISOs to trip over themselves during meetings with business leadership.

Make sure that your message on the security program demonstrates to the board and C-Suite that you understand what the business goals and objectives are, and that you’ve crafted a plan that mitigates any of their risks in the most cost-effective way possible. This is the “holy grail” of acquiring the funding that your security program needs.


 [GS1]It is not of cost of fines (unusual unless there’s a breach) but increased exposure and a larger attack surface resulting in more holes in the defenses.

KEYWORDS: c-suite cybersecurity risk management security funding

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Jason rowland
Jason Rowland is Vice President, Consulting Operations at security services firm Alagen. With more than 20 years of information security experience, he has led teams driving tailored solutions in the areas of compliance, security assessment, security operations, as well as major incident response and remediation efforts for Fortune 500 corporations.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cybersecurity
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

blurry multicolored text on black screen

PowerSchool Education Technology Company Announces Data Breach

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • busy lobby

    How can security teams manage risk if they can’t measure it?

    See More
  • smartphone-app-development-freepik.jpg

    Why mobile app developers need to prioritize user data privacy and security — and what they can do to ensure it

    See More
  • cyber7-900px.jpg

    What Data Do Cybercriminals Get When They Hack a Hospital?

    See More

Related Products

See More Products
  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

  • school security.jpg

    School Security: How to Build and Strengthen a School Safety Program

  • Risk-Analysis.gif

    Risk Analysis and the Security Survey, 4th Edition

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing