To get back to financial/budget buy-ins I would like to make two very distinct but complementary points. The first one being that LOTS (and I means it in capital letters) of infosec stuff are either not technological bound or can most likely be implemented or at least started with the tool currently at your disposal
I once was in an hiring position and the unfortunate candidate whose profile was a really great fit for my needs “on paper” told me that he left his former employer because he was hired after the closing of the budget forecast hence he didn’t get any credits and wouldn’t be able to get anything done/moving. This – to me – was a three folded tremendous mistake:
1. For some (if not most) companies (starting their infosec journey) hiring a infosec specialist already costing a lot of money (their spending bascically evolves from virtually 0 to your paycheck);
2. You don’t really need much money for lots of stuff, especially getting governance started, engaging with business respresentatives to understand their priorities, kickstart an awareness program (Phishing Simulation or password cracking are great first hand exercises);
3. When you think you need technological investment you basically have two options, express your needs in a business langage and/or be creative:
- First example: outsourced Backup, those tend to cost, explain to your boss that should something go south it will probably take quarter if not Semester of downtime to reconfigure everything from scratch, noone at the C-level table could in their right mind tolerate this much downtime if your business is at least somewhat information system dependend (spoiler alert: they all are);
- Second example: MFA (MultiFactor Authentication), I will only speak of what I know first hand (being Microsoft world) despite being fully aware that alternatives exist. On Microsoft M365 tenant you can and absolutely should activate MFA, it is even costfree! What can be pricey is a frictionless MFA that is called conditional access, this is included on various (messy…) licence packages1.
Hence you can easily present the Situation as follows: MFA is a must, we can either safeguard our business the brutous way and lose employees productivity and (even worst…) commitment/drive OR invest money on licences allowing us to keep it as transparent as possible to our company most important assets: its people. This shifts the discussion from a pure technological topics to a corporate/HR topics having Technological ramifications. Corporate/HR concerns will get you CEO/CFO buyin, Technological won’t. It’s as simple as that.
- This github site is a true life saving when it comes to understanding Microsoft licences bundle: https://github.com/ksagala/Licensing. Huge kudos to Konrad Sagala to put this together and solving headaches to lots of people, Konrad has been a Microsoft MVP for decadeS (as in 20+ years) which is pretty impressive. Funny story, I once was in a commercial call with lots of Microsoft representatives (those guys always come in squad, never ever alone…) and the Microsoft salary whose title was something like “Information security licences specialist” sent us this article (that we – fortunately for our negocation – knew beforehand) saying that Konrad can explain licence bundle in a clearer way that anyone at Microsoft can. What a mess! ↩︎
Leave a Reply