10 Tips to Get Buy-in From Your CFO for Security Projects

Posted by: Gali Rahamim
July 27, 2023
Getting your Trinity Audio player ready...


Everyone agrees that cybersecurity is important – but it’s always been and remains a tough budgetary sell. Even today, with cybersecurity firmly on every c-suite’s radar, getting funding for an internal cybersecurity program is no simple feat. So how do you make your case to your CFO (or whomever is in charge of assigning budgets in your organization), without slipping into alarmism on one hand, or diminishing the importance of the project on the other? 

But to start, let’s consider why it’s more challenging to get budget for your security initiatives than other initiatives; well, the main issue is that it’s hard to demonstrate ROI when you’re preventing things from happening, not making them happen. Simply put, security is more of an indirect benefit than overtly direct and therefore harder to justify. Moreover, security tools are often much pricier than other types of tools and products. So it’s little wonder that CFOs/purchasing decision-makers need to think longer and harder – and need more proof – when it comes to cybersecurity decisions.

Securing budget for well, security undertakings, is something I feel strongly about – before joining XM Cyber as a Customer Success Manager and now the Onboarding Manager, a significant portion of my time in the army was spent building the case for securing budget for new technologies. All too often, organizations lack the skills to present their case effectively and therefore miss out on opportunities to better their security posture. This is a shame as sometimes, the information is all there – it just needs to be organized and presented in a logical format that busy decision-makers can understand at a glance and appreciate in the context of their own pain points and concerns.

In this blog, I’ll present 10 tips I’ve used to make my cases effectively and I hope you’ll be able to leverage them for your upcoming projects too.

1- Make it about risk, not threats
Cybersecurity is not a project, it’s a process. The landscape never stops shifting, the goalposts never stop moving. To build a case not just for budget, but for meaningful budget, focus on how your project will impact overall risk to your organization’s business goals – not this or that asset. 

2- Know what your neighbors are up to
Don’t be hesitant to learn as much about what your competitors and partners are doing, and then sharing this intel with decision-makers. It’s not about “keeping up with the Jones’”, it’s about recognizing prevalent industry trends and how others are addressing threats that you face, too. 

3- Leverage others’ misfortunes
This may sound bad but it’s not. Showcasing incidents that other organizations in your industry have experienced to build your case is a great way to demonstrate the importance of the proposed undertaking. Know what organizations in your vertical have been hit with – or overcame – and use that to bolster your position. 

4- Make sure what you already have is working
Over a third of cyberattacks result from misconfigurations. Before requesting budget for your security program, make sure you can demonstrate that your existing stack is properly configured, functioning well, and making a positive impact, as expected. Expect to be able to answer questions regarding how this new initiative will impact what you’ve already got and if, instead, there’d be some way to use your current stack to accomplish whatever it is you intend to. 

5- Make sure you’ve got the human resources to implement and run it
The best solutions still require trained people to operate them. When presenting a budget for a new program, don’t forget the HR angle. If your organization doesn’t have internal resources, a trusted MSSP can be a good fallback, or ensure that current team members get the relevant training needed to be successful with the new initiative. This means knowing which training programs and resources they’d need to get ahead of time and being prepared to answer for that part as well.

6- Validate what you did last year using numbers and data
Avoid rejection by proactively presenting an ROI analysis of last year’s projects. Explain to decision-makers how what you spent last year made (or did not make) an impact. Talk about time and money saved (again, or not saved, depending on what you’re trying to prove) in hours and dollar amounts.

7- Use internal data wherever possible
Don’t make your case with tough-to-verify public domain stats. Make the extra effort of gathering and analyzing in-house data about threats and mitigation. Then present it in a clear way that shows tie-in between security programs and business performance. 

8- Provide concrete implementation plans
Be prepared to demonstrate how long it will take to get your program up and running and achieve results. Define clear and realistic success metrics and timeframes and explain how you arrived at all these numbers.

9- Demonstrate potential savings
Part of security ROI should be cost-savings. Will your new program make the organization
more compliant and lower risk of regulatory penalties? Will it save significant IT time and resources? Will it lower cyber insurance premiums? 

10- Shop around
Most projects involve new technology. And nearly every technological solution has an alternative. Cover all your bases by shopping around, gathering information about features and pricing, and presenting your program in comparison to the alternatives. Whether your solution of choice is cheaper or pricier – be prepared to explain why it’s better.

The Bottom Line

There’s no magic formula to getting budget for your initiatives – sometimes you can do all the research in the world and arm yourself to the teeth with sound reasoning, and yet, owing to a million potential causes (did anyone say “The Economy”??) it may still fail to materialize. But I hope that by focusing on tangible impacts and showcasing your project’s actual significance, you’ll be able to garner the buy-in you need from key decision-makers.

Gali Rahamim

Find and fix the exposures that put your critical assets at risk with ultra-efficient remediation.

See what attackers see, so you can stop them from doing what attackers do.