We teach a lot of cybersecurity classes around here. We have students from around the United States (but I don’t think we’ve had anyone from Alaska yet, so if you’re in The Last Frontier you could be first)! We also occasionally get folks from other countries.
In these classes we have interesting conversations where we share experiences, discuss successes, and cover how to deal with challenges. One that we frequently hear in our LRS NIST Cybersecurity Training Bootcamp class is this: “I know what we need to do to be more secure, but I can’t get the people who control the money to pay for it!”
Isn’t that always a problem? Well, maybe not if you work in a perfect organization (I just included the link to support SEO).
A Tangent, But Not Really
When we revamped our NIST Framework courses back in 2020, we recognized this was an ongoing concern for many cybersecurity professionals. As you may know, or perhaps you don’t, we currently have four courses in our NIST cybersecurity training portfolio. They are LRS NIST Cybersecurity Framework Foundation, Practitioner, Bootcamp, and Ransomware. The Foundation and Ransomware classes are rapid-fire and one day with a great amount of helpful content. The Practitioner course is two days and gives us plenty of time to deep-dive into lots of really involved cybersecurity topics. Bootcamp is just Foundation and Practitioner taken back-to-back over three days.
One of the most interesting aspects of offering NIST Cybersecurity Framework courses is the opportunity to jump beyond just technical, and even business aspects, but also into some casual psychology. In Module 8 of the Practitioner course, one of the topics is “Aiding and influencing strategic cybersecurity implementation decisions.”
Yeah, We Know About the Money Issue
We know most of you feel there isn’t enough cash for cybersecurity needs, and we directly address it in that topic. Of course, the issue usually isn’t a lack of money, it’s just the money not being allocated to improving cybersecurity and reducing risk. Also, we don’t disparage those who make the financial decisions. They’re generally doing what they believe is best for the organization based on their own experiences.
But wouldn’t it be great if the decision makers would just give us the money so we could secure the place down like it needs to be done? Seriously.
However, the truth is, if there is a lack of sufficient funds going towards cybersecurity, that’s often on us, the cybersecurity experts.
Wait, Wait, Wait, Wait
Hold on a second. Don’t be getting all mad at me.
I’ve been where you are. Asking but not receiving, pushing to get risks mitigated and doing my best with insufficient funds. I’m not talking on this point from a place of no experience. More than once I’ve had to figure out how to work on a shoestring budget.
But then I learned the secret. There really is an ethical way to get more money for cybersecurity. We talk all about it in our NIST Cybersecurity Framework training courses, specifically Practitioner and Bootcamp. So, if you’ll just go ahead and sign up for one of those, I’ll be happy to share the secret.
Just kidding. I’ll tell you now, but don’t let my boss know. I’m going to give you this info for free, even though I’m apparently supposed to make money for the company in this job.
And I Quote…
Let me quote you some amazing info from a relatively average cybersecurity guy (if you click the link he’s the one with the vertical hair, the other one is WAY smarter):
“Priorities drive decisions; in many ways, organizations are like people. What they consider important is where they focus their efforts. In other words, organizations will make decisions which support the priorities they have established. Once cybersecurity practitioners understand the organization’s priorities, they can be used to support improved cybersecurity. To do so, cybersecurity needs should be aligned with the known organizational priorities. For example, in a healthcare organization, if there is a security weakness due to the use of simple username and password authentication, a cybersecurity practitioner could demonstrate how moving to multifactor authentication is the best method to meet HIPAA password requirements.”
In that less-than-thrilling quote the secret was revealed. Did you catch it? Here, I’ll make it easier:
Once cybersecurity practitioners understand the organization’s priorities, they can be used to support improved cybersecurity. To do so, cybersecurity needs should be aligned with the known organizational priorities.
Getting the money (or other resources) you need to meet cybersecurity or risk management concerns is best accomplished by changing the focus. Rather than trying to convince decision makers to buy what we think is important, we need to discover what they think is important and get them to buy more of that.
Can You Please Be More Clear?
Sure, thanks for asking. The best, most sincere (and successful) salespeople don’t try to sell what the customer needs, even if it is a desperate need. Most people aren’t generally looking to buy what they need anyway, they really are trying to find a way to justify buying what they want.
So, the honest, smart salespeople sell what the customer wants, and make sure the want also fulfills the desperate need. Here’s how that applies in our situation.
You’re a cybersecurity pro. Maybe you’ve even taken NIST cybersecurity courses. You know what is needed to shore up your security and reduce your risk to an acceptable level. But do NOT go to the decision makers and try to sell them on the idea of your cybersecurity solution. You know that fails too often. You’ve got to avoid that temptation. Why? Because that’s trying to sell them on the need.
Instead, you must find out what they want! Is it HIPAA or GDPR compliance? Perhaps they are subject to the rules of PCI-DSS. Maybe they’re trying to get more business as a reseller. Every organization has some compliance obligations, business growth plans, goals, objectives, industry standards, certifications, or other areas they want to reach or maintain. And if you know what those are, you can likely find a way to make your known cybersecurity needs align with one or more of them. When you align your organization’s cybersecurity needs with your organizational high-level wants, you have a much better chance of getting resources directed where they need to be.
As We Close
Let me make just a couple more points. If you cannot find a legitimate organizational priority to align with your cybersecurity need, then you might want to question if it is a legitimate cybersecurity need. Cybersecurity should always serve what is important to the organization, not the other way around.
And finally, I’ve given you just one short nugget of value from amongst an entire gold mine (hyperbole intended) that you can find in our NIST Cybersecurity Framework training courses. I’d be happy to have you join us soon so you can enjoy all the rest we have to offer.
Troy Stoneking
Certified NIST Cybersecurity Framework Professional Trainer and Cybersecurity Assessor