Getting a security budget approved is a challenge, but it is arguably the single most important task a security leader can accomplish. This session reveals the six common factors that successful CISO’s use to quantify needs and justify security budget with non-technical executive leaders. Research and data gleaned from over 40 interviews with high-profile CISO’s provide some interesting results.

1. SESSION ID:
Getting Your Security Budget Approved
Without FUD
CISO-W04A
John B. Dickson, CISSP
Principal
Denim Group
@johnbdickson

2. #RSAC
Why Is Selling Fear So Compelling?
u Is it like selling insurance?
u The security industry is struggling
for parallel models and metaphors
u FUD Distorts the Process
2

3. #RSAC
CEO
CFO
CIO
VP
Development
Development
CISO
Security Leaders Are at A Structural Disadvantage
u They have a staff advisory role
and not a “line” operator role
u They have different world views
that drive their perspective
u They talk differently
u They have less power
3

4. #RSAC
The Key Principles of Selling Security
1) Exploit Pet Projects
2) Account for Culture
3) Tailor to Your Specific Vertical
4) Consciously Cultivate Credibility & Relationships
5) Capitalize on Timely Events
6) Capture Successes & Over-Communicate
4

5. #RSAC
1) Exploit Pet Projects
Always bundle security into CAPEX
or other critical projects as defined
by the CEO
5

6. #RSAC
2) Account for Business Environment
Radically adapt your “Request for
Resources” to your organization’s
culture and risk appetite
6

7. #RSAC
3) Tailor to Your Specific Vertical
7
Tailor security requests to your
specific vertical, sub-vertical, & sub-
sub vertical

8. #RSAC
4) Capitalize on Timely Events
Use near-death experiences of
others to justify security spend
8
“You
never
let
a
serious
crisis
go
to
waste.
And
what
I
mean
by
that
it's
an
opportunity
to
do
things
you
think
you
could
not
do
before.”
-­‐
Rahm
Emanuel

9. #RSAC
5) Consciously Cultivate Credibility & Relationships
Credibility and relationships must be
established prior to “Making A
Security Ask”
9

10. #RSAC
6) Capture Successes & Over-Communicate
Document security wins and communicate these successes so they become
the new operating norm
10

11. #RSAC
Conclusion
Successful security leaders exhibit certain consistent approaches to get
their security budgets approved – without using FUD!
1) Exploit Pet Projects
2) Account for Culture
3) Tailor to Your Specific Vertical
4) Consciously Cultivate Credibility & Relationships
5) Capitalize on Timely Events
6) Capture Successes & Over-Communicate
11

12. Q&A
John B. Dickson, CISSP
john@denimgroup.com
@johnbdickson