Despite the increasing awareness for and importance of creating an effective information security program, many cybersecurity leaders have faced the scenario in which their budget was being reduced or limited. If you haven’t faced this obstacle already, consider yourself lucky. Most security leaders will have to navigate budget cuts  at some point in their careers.

While it’s never wanted, rarely advised, and always frustrating, when cuts do occur, cybersecurity leaders have a real opportunity to demonstrate their leadership acumen and to raise their profile within the organization. The security leader who demonstrates that he/she is capable of continuing to manage a cybersecurity program and address key risks even when resources are limited can truly set himself/herself apart as a savvy and valued member of the organization’s leadership team.

The question then becomes, “How?” How should you appropriately address your frustrations and the potential issues it causes without putting your job in jeopardy or undermining your credibility with company leaders? How can you effectively convince senior leaders to provide more resources in the future? 

Before we dive into specifics for how you should approach the situation, it’s important to consider the perspective of your senior leader. Trying to understand where they’re coming from is always helpful. (This is true of any situation where there is conflict, by the way.)

Something to Remember When Your Cybersecurity Budget Gets Cut

One of the biggest challenges for most information security programs is relevance. What I mean by this is that in the big scheme of things, an information security program doesn’t typically directly contribute to a company’s bottom line.

Consider this: Most companies are in business to return value to their stakeholders. Value is typically returned in the form of profits. When a company is under pressure to increase profits, it has two options: increase revenues or reduce costs (or both). An information security program doesn’t directly increase revenues OR reduce costs, and, as such, when a company is under pressure, the InfoSec budget is a common target for cutbacks. As security leaders, we would be well-advised to be mindful of this fact. That can help put things into perspective when the budget cuts come through.

Side Note: I totally understand and acknowledge that a well-executed cybersecurity program can help to reduce breaches and other security incidents, which can indirectly prevent costs and preserve profits. But, that can be a difficult argument for a cybersecurity leader to hang his/her hat on because of the difficulty of demonstrating the financial impact of a breach that hasn’t yet happened.

A Step-by-Step Guide to Talking About Cybersecurity Cuts

What’s the most effective way to address the situation when your cybersecurity budget is cut or eliminated? Here are three important steps:

Step 1: Remain calm.

Learning that your budget is being cut or limited can create a lot of uncertainty and questions. It’s easy to get worked up, overwhelmed, and even angry about the situation. However, addressing the situation when you’re frustrated or heated is never helpful. Very few cybersecurity leaders have gotten more money for their budget by yelling louder or complaining more. The first thing to do when addressing a budget cut is to take a deep breath. Avoid making abrasive comments (even to your team members) that could undermine your status as a company leader if misinterpreted or later misrepresented. If necessary, consider heading off-campus to allow yourself some time to calm down and think clearly about your response. Taking the time to clear your head allows you to revisit your planned initiatives and see how you can make adjustments to get the most out of what you do have.

Step 2: Develop some talking points on how cybersecurity aligns with larger business objectives.

Remember, it’s important to show that you understand where your senior leaders are coming from when they’re making decisions about your cybersecurity budget. You want to show them that you understand the bigger picture and the company’s overall business objectives. Once you’ve put together some ideas, reach out to your boss or an influential decision-maker in the business and ask for some time to chat.

The nature of the discussion should be something like this: “While I was disappointed to see that my security budget request was cut, I recognize that the company is making business decisions based on the company’s overall financial goals, the current situation, and management’s risk tolerance. Therefore, I’ve taken the initiative to revisit my plan for the next period, and I’d like to share with you my strategy for getting the most out of our cybersecurity efforts and best managing our cybersecurity risks with the resources and funds that I do have.” 

Step 3: Continue to communicate and provide relevant insights on your program.

More than likely, one conversation won’t magically solve your problems or cause additional budget money to appear. If the senior leader seems receptive to continuing the conversation, it’s important to continually re-iterate the value your program provides and the return on investment your initiatives are creating. Find ways to translate what you’re doing into the areas senior leaders care about most, talk through your approach, and consistently look for ways to re-communicate key risks to ensure that they are documented and top of mind. This approach will demonstrate that you are a part of the leadership team, and not an antagonist or short-sighted IT geek.

Be the Leader Your Organization (and Cybersecurity Program) Needs

Security leaders that demonstrate that they see the bigger picture and can be team players will always be valued. In some cases, you might even find yourself getting invited into the executive circle. And, when you’re regularly swimming in the pool with the big dogs, your perspective, your opportunities, and your security program will totally evolve.

We’re Here to Help

If you’re struggling to earn trust and respect within your organization, we’re here to help. As leaders in the information security industry, our team at LBMC Information Security has a unique depth of expertise at your disposal. Explore our Security Consulting services, or contact us today to learn how we can help you with information security solutions.

This blog is the ninth in a series by Mark Burnette on security leadership that focuses on key issues security executives face daily and tips for how to navigate those issues with excellence.​​