Cybersecurity Funding: CISOs Share Their Top Tips

Susan Nunziata, Director of Editorial | 2/27/2014 | 20 comments

Susan Nunziata
How do you get corporate funding for cybersecurity when it's so challenging to measure and report ROI to your C suite and board of directors?

This was one of the many topics discussed by chief information security officers on several panel sessions we attended Tuesday, Feb. 25, at the RSA Conference in San Francisco.

During a session entitled "Aligning Cyber Security Personnel & Processes," Greg Schaffer, CISO of Circumfrerence Group and a former Fidelity Investments CSO, summed up the dilemma this way: "The fact that you haven't had an incident is not an indication that you are secure. The fact that you have had an incident is not an indication that you're less secure."

How do you find the right metrics to report to your business-side executives? We can draw some lessons from the process outlined by Gary Gagnon, senior vice president, CSO, and corporate director of cybersecurity for Mitre Corp. His team provides a monthly executive-level metric report featuring seven or eight briefing charts. He explained these charts and the information they show.

  • External environment: This chart identifies what threat vectors others in the industry are seeing.
  • Volume chart: It shows the number of trouble tickets Gagnon's team addressed in the last month. "It's a way of understanding adversarial actions. We spend a lot of time dissecting those trouble tickets."
  • Attack vectors: This chart details the concerted attacks Mitre saw in several vectors: Crimewear, Unknown, and Advanced Persistent Threat.
  • Bullseye chart: It shows which layer of defense is having the most impact, how far attackers penetrate the security, and which sensors caught them. If an attack reaches the center of bullseye, it means no sensor caught it, and the company has a data leak. (Gagnon quipped that he has not seen and never wants to see penetration to the center.)
  • Patch status: "We have an internal goal to patch 90% of our machines within three days. I use this to compare against each of our operating centers to see which are more aggressive than others."
  • Click ratio: Gagnon monitors the click ratio of Mitre employees who are targeted more frequently than others. "We spend a lot of time with them on training, trying to understand what drives them to click. My goal is to drive that to less than half a percent." He's very specific about training those who are targeted most frequently. That training is "customized to what they are actually seeing when they're targeted."
  • Status of infrastructure upgrades: This chart covers things like "getting XP out of the enterprise, knowing what's going on with the network, and whether we can do this to the fidelity that a lot of these regulators want us to."

Part of the CISO's job is helping business-side executives understand the true nature of cyberattacks. Schaffer described the situation this way:

One of the things we have to get our business leaders to focus on is that cyber is not a hurricane. You can build a building that meets a certain number of specifications to withstand a hurricane. That's not what cyber is. Cyber is like ants inside your house. You can spray and bring in exterminators and do everything right, and the ants will disappear. And then, one day, there's going to be an ant in your living room, and you'll say: "How'd that get there? Squish." Once business leaders understand that the cybersecurity problem is going away when crime goes away, then we'll all be on the same sheet.

During another session we attended, "Storm Advancing: Security Weathermen Forecast the Advanced Threat Landscape," Carter Lee, CISO of, shared his views on getting corporate funding for cybersecurity.

"The two easiest ways to get funding is, one, allow yourself to get hacked," said Lee. "The second way is to use things like PCI regulations" and other regulatory or compliance requirements for your industry, "so you can tell the business exectuvies, 'We have to do this, or we're not going to pass.'"

However, "a more effective way to do that is to show statistics." For example, "the number of malware-infected machines has gone down over time because we've invested in a certain product. If you can replace costs with smarter intelligence, you're always going to be able to find the funding. You just need to justify it like any other business expense."

Ramin Safai, CISO of the investment firm Jefferies & Co., said increased coverage of cybersecurity by mainstream news media has helped raise awareness within the C level and the board. "The Wall Street Journal plays a big role. Just the headlines make the board aware. They come back and ask the CIO, 'Do we have this under control?'"

Golan Ben-Oni, CISO of IDT Telecom, said it's also important for security executives to be aware of business priorities. Security projects affecting the areas of the company that matter most to the business executives are most likely to get funding. "Recognize the areas of your organization that management values most, and concentrate your efforts into those areas."

Are these experts on the mark? Do their observations line up with or contradict your own experience? What other advice do you have for information security and IT professionals looking to keep their organizations protected? Share your thoughts in the comments field below.

— Susan Nunziata, Circle me on Google+ Follow me on TwitterVisit my LinkedIn pageLike EnterpriseEfficiency on Facebook, Director of Editorial,

Related posts:

View Comments: Newest First | Oldest First | Threaded View
Page 1 / 2   >   >>
MDMConsult   Cybersecurity Funding: CISOs Share Their Top Tips   5/6/2014 10:18:23 AM
Re: Love this quote
SLAs and establishing data quality control relies on monitoring, data quality rules and addressing important issues requiring attention. When the quality of data does not meet the level of acceptability, operational data governance in an organization can internalize. This results in observance of the DQ SLAs, and consequently continuously monitor and control the quality of organizational data.
Susan Nunziata   Cybersecurity Funding: CISOs Share Their Top Tips   3/26/2014 7:57:23 PM
Re: Love this quote
@Dave: That's one of the best ant stories I've ever heard. Knowledge can be costly sometimes. Sorry you had to learn about ant-eradication the hard way.

As for me, I don't like the Brits' test nor do I like the ideas of what they might do next. 
David Wagner   Cybersecurity Funding: CISOs Share Their Top Tips   3/3/2014 12:51:16 PM
Re: Love this quote
@Susan- I don't know what kind of ants they were. They were very tiny ven for ants. they came in with our Christmas tree last year. what's funny is that we tried various traps and poisons available in the store. Didn't work. We paid an exterminator $150 to come in. And he said, "I can't do anything until I know where the live. The next time you see one, put this down. It will attract them and I can follow th elin eback to the nest. Call me immediately when there is a line headed to the bait. The bait is also poison they take back to the nest. It might kill them all by itself."

So I see one. I put the trap down. Giant line of ants forms. I call the guy. He doesn't come. Call him again. He doesn't come. A day goes by and no more ants. Gone. Haven't been back since.

Turns out the thing he gave me is sold in my grocery store for $8.

I considered suing or complaining but in the end I decided I paid $175 for the knowledge of which product to use. :)

As for the Brits, yeah, I'm not actually bothered by the "test." It actually makes a lot of sense to me. I'm bothered by what they'll do now that the "test" is over.
batye   Cybersecurity Funding: CISOs Share Their Top Tips   3/1/2014 3:14:13 AM
Re: Love this quote
it scary but it reaity of technology good or bad... on my laptop camera I put black tape over it... better safe than sorry... in my books
Susan Nunziata   Cybersecurity Funding: CISOs Share Their Top Tips   2/28/2014 11:34:46 PM
Re: Love this quote
@Dsve: sorry about the ants in the house, hope they weren't carpenter ants.

I'm not sure what's more troubling about the web cam news: That the British were doing it, or that they were surprised at what they saw...

David Wagner   Cybersecurity Funding: CISOs Share Their Top Tips   2/28/2014 8:24:20 PM
Re: Love this quote
Having dealth with an ant problem a year ago, I shiver at the thought.

Seriously though, the ant idea fits because there are so many threats. Just a few days ago came the story that the British were spying on people's web cams to see if their facial reconigtion software worked. And their comments internally were "my, people do seem to use webcams for a lot of intimate stuff."

Yes, they do. So stop watching them! I guess that is too much to ask.

Susan Nunziata   Cybersecurity Funding: CISOs Share Their Top Tips   2/28/2014 8:20:54 PM
Re: Love this quote
@Dave: Based on what I've heard at RSA, the idea of throwing up your hands and saying we can't stop it anymore is actually the first step toward making progress.

The general feeling on most of the sesions I attended was that the idea of trying to stop an attack in the sense of building a tall wall and a moat around the castle are long over. Instead, you have to admit the walls have fallen and figure out how you're going to mitigate damage by ferreting out the invaders wherever they're hiding. 

That's why I love the analogy Shaffer gives, that cyber security is like dealing with a house invaded by ants.
Susan Nunziata   Cybersecurity Funding: CISOs Share Their Top Tips   2/28/2014 7:57:41 PM
Re: Love this quote
@Salik: that's a discomforting thought, that our personal information might be used as a pawn in some game that a security team is playing with it's c-level in order to get funding...Yikes!
Susan Nunziata   Cybersecurity Funding: CISOs Share Their Top Tips   2/28/2014 7:55:53 PM
Re: Love this quote
@Curt: heh heh. Good question! I can say with certainty that you'll never ever find one to admit it. 
David Wagner   Cybersecurity Funding: CISOs Share Their Top Tips   2/28/2014 7:03:40 PM
Re: Love this quote
@Curt- Which do we prefer? The criminals or the government driving IT spending? Or is there a difference anymore?
Page 1 / 2   >   >>

The blogs and comments posted on do not reflect the views of TechWeb,, or its sponsors., TechWeb, and its sponsors do not assume responsibility for any comments, claims, or opinions made by authors and bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.

More Blogs from Susan Nunziata
Susan Nunziata   5/28/2014   111 comments
For more than four years, (E2) has been the best IT community on the Internet. As with all good things, soon our time together here will end.
Susan Nunziata   5/20/2014   95 comments
Is it time to ask for a raise? If you're a female IT executive, or more than 55 years old, your answer might well be a resounding "Yes!" Let's take a look at highlights of the ...
Susan Nunziata   4/14/2014   15 comments
If you're looking for more than conjecture to back up the point that IT is increasingly crucial to the business, you'll find what you need in the report "The Gartner CEO and Senior ...
Susan Nunziata   4/7/2014   3 comments
Do you know what your CEO really wants from your IT team? Do you have a grasp of what matters most to your organization's chief marketing officer?
Susan Nunziata   4/1/2014   9 comments
There are plenty of challenges involved in leading an IT organization in the era of Bring Your Own Everything (BYOE), but there are also plenty of opportunities.
Latest Archived Broadcast
We talk with Bernard Golden about accelerating application delivery in the cloud.
On-demand Video with Chat
Register for this video discussion to learn how tablets can provide true business usability and productivity.
E2 IT Migration Zones
IT Migration Zone - UK
Why PowerShell Is Important
Reduce the Windows 8 Footprint for VDI
Rethinking Storage Management
IT Migration Zone - FR
SQL Server : 240 To de mémoire flash pour votre data warehouse
Quand Office vient booster les revenus Cloud et Android de Microsoft
Windows Phone : Nokia veut davantage d'applications (et les utilisateurs aussi)
IT Migration Zone - DE
Cloud Computing: Warum Unternehmen trotz NSA auf die „private“ Wolke setzen sollten
Cloud Computing bleibt Wachstumsmarkt – Windows Azure ist Vorreiter
Like Us on Facebook
Twitter Feed
Enterprise Efficiency Twitter Feed
Site Moderators Wanted
Enterprise Efficiency is looking for engaged readers to moderate the message boards on this site. Engage in high-IQ conversations with IT industry leaders; earn kudos and perks. Interested? E-mail:
[email protected]
Dell's Efficiency Modeling Tool
The major problem facing the CIO is how to measure the effectiveness of the IT department. Learn how Dell’s Efficiency Modeling Tool gives the CIO two clear, powerful numbers: Efficiency Quotient and Impact Quotient. These numbers can be transforma¬tive not only to the department, but to the entire enterprise.

Read the full report
The State of Enterprise Efficiency in the Virtual Era: Virtualization – Smart Approaches to Maximize Gains
Virtualization is a presence in nearly all enterprise data centers. But not all companies are using it to its best effect. Learn the common characteristics of success, what barriers companies face, and how to get the most from your efforts.

Read the full report
Informed CIO: Dollars & Sense: Virtual Desktop Infrastructure
Cut through the VDI hype and get the full picture -- including ROI and the impact on your Data Center -- to make an informed decision about your virtual desktop infrastructure deployments.

Read the full report
A Video Case Study – Translational Genomics Research Institute
e2 Video

On the Case
TGen IT: Where We're Going Next

7|11|12   |   08:12   |   10 comments

Now that TGen has broken new ground in genomic research by using Dell's storage, cloud, and high-performance computing solutions, the company discusses what will come next for it and for personalized medicine.
On the Case
Better Care Through Better Communications

6|6|12   |   02:24   |   11 comments

The achievements of the TGen/Dell project could improve how all people receive healthcare, because they are creating ways to improve end-to-end communication of medical data.
On the Case
TGen IT: Where We Are Now

5|15|12   |   06:58   |   6 comments

TGen is breaking new ground in genomic research by using Dell's storage, cloud, and high-performance computing solutions.
On the Case
TGen IT: Where We Were

4|27|12   |   06:45   |   10 comments

The Translational Genomics Research Institute wanted to save lives, but its efforts were hobbled by immense computing challenges related to collecting, processing, sharing, and storing enormous amounts of data.
On the Case
1,200% Faster

4|18|12   |   02:27   |   12 comments

Through their partnership, Dell and TGen have increased the speed of TGen’s medical research by 1,200 percent.
On the Case
IT May Improve Children's Chances of Survival

4|17|12   |   02:12   |   8 comments

IT is helping medical researchers reach breakthroughs in a way and pace never seen before.
On the Case
Medical Advances in the Cloud

4|10|12   |   1:25   |   5 comments

TGen and Dell are pushing the boundaries of computing, and harnessing the power of the cloud to improve healthcare.
On the Case
TGen: Living the Mission

4|9|12   |   2:25   |   3 comments

TGen's CIO puts the organizational mission at the heart of everything the IT staff does.
On the Case
TGen Speeding Up Biomedical Research to Save More Lives

4|5|12   |   1:59   |   6 comments

The Translational Genomics Research Institute is revamping its computing to improve speed, storage, and collaboration – and, most importantly, to save lives.
On the Case
Computing Power Helping to Save Children's Lives

3|28|12   |   2:13   |   3 comments

The Translational Genomics Institute’s partnership with Dell is enabling them to treat kids with neuroblastoma more quickly and save more lives.
Tom Nolle
The Big Reason to Use Office

3|18|14   |   02:24   |   46 comments

Office and personal productivity tools come in a first-class and coach flavor set, but what makes the difference is primarily little things that most users won't encounter. What's the big issue in using something other than Office, and can you get around it?
E2 Editors
SPONSORED: Mobile Security — A Use Case

3|4|14   |   04:27   |   16 comments

New mobile security solutions can accommodate a wide array of needs, including those of a complex university environment.
Tom Nolle
Killing Net Neutrality Might Save You Money

1|16|14   |   2:13   |   16 comments

The DC Court of Appeals voided most of the Neutrality Order, and whatever it might mean for the Internet overall, it might mean better and cheaper Internet VPNs for businesses.
Tom Nolle
The Internet of Everythinguseful

1|10|14   |   2:18   |   19 comments

We really don't want an "Internet of Everything" but even building an Internet of Everythinguseful means setting some ground rules to insure there's value in the process and that costs and risks are minimized.
Tom Nolle
Maturing Google Chrome

12|30|13   |   2.18   |   25 comments

Google's Chrome OS has a lot of potential value and a lot of recent press, but it still needs something to make it more than a thin client. It needs cloud integration, it needs extended APIs via web services, and it needs to suck it up and support a hard drive.
Sara Peters
No More Cookie-Cutter IT

12|23|13   |   03.58   |   21 comments

Creating the right combination of technology, people, and processes for your IT organization is a lot like baking Christmas cookies.
Sara Peters
Smart Wigs Not a Smart Idea

12|5|13   |   3:01   |   46 comments

Sony is seeking a patent for wigs that contain computing devices.
Tom Nolle
Cloud in the Wild

12|4|13   |   02:23   |   15 comments

On a recent African trip I saw examples of the value of the cloud in developing nations, for educational and community development programs. We could build on this, but not only in developing economies, because these same programs are often under-supported even in first-world countries.
E2 Editors
SPONSORED: Is Malware Evading Your IPS?

11|18|13   |   03:16   |   4 comments

Intrusion prevention software is supposed to detect and block malware intrusions, but clever malware authors can evade your IPS in these five main ways.
Sara Peters
Where Have All the Mentors Gone?

9|27|13   |   3:15   |   38 comments

A good professional mentor can change your life for the better... but where do you find one?
Tom Nolle
SDN Wars & You Could Win

9|17|13   |   2:10   |   5 comments

VMware's debate with Cisco on SDN might finally create a fusion between an SDN view that's all about software and another that's all about network equipment. That would be good for every enterprise considering the cloud and SDN.
Ivan Schneider
The Future of the Smart Watch

9|12|13   |   3:19   |   39 comments

Wearing a bulky, oversized watch is good training for the next phase in wristwatches: the Internet-enabled, connected watch. Why the smartphone-tethered connected watch makes sense, plus Ivan demos an entirely new concept for the "smart watch."
Tom Nolle
Cutting Your Cloud Storage Costs

9|4|13   |   2:06   |   3 comments

Cloud storage costs are determined primarily by the rate at which files are changed and the possibility of concurrent access/update. If you can structure your storage use to optimize these factors you can cut costs, perhaps to zero.
Sara Peters
Do CIOs Need an IT Background?

8|29|13   |   2:11   |   23 comments

Most of the CIOs interviewed in the How to Become a CIO series did not start their careers as IT professionals. So is an IT background essential?
Ivan Schneider
The Internet Loves Birthdays

8|27|13   |   3:25   |   69 comments

The Internet has evolved into a machine for drumming up a chorus of "Happy Birthday" messages, from family, friends, friends of friends who you added on Facebook, random people that you circled on G+, and increasingly, automated bots. Enough already.