What are some example catalysts for security budget funding?

Security & GRCSecurity Strategy & Roadmap
3k viewscircle icon3 Comments
Sort by:
Director of Network Transformation2 years ago

Sadly...  a breach.  

Vice President for Information Technology in Education3 years ago

We were a Workday client, but we were not using two-factor authentication (2FA) at first. We’d just been talking about it, until there was a spate of hackers getting into instances and changing direct deposit information. They got into two or three employees through a phishing scheme. We caught it before we ran payroll, which was great. But that was the catalyst to implementing multi-factor authentication (MFA). Once the president and my colleagues on the executive team heard about this, we got MFA for all employees within a couple of months and now it’s also implemented for all students.

VP, Information Technology in Consumer Goods3 years ago

We got our budget to do backups after we got hit by an attack a couple years ago. Everyone cut budgets during COVID, but one of the two projects that didn't get a budget cut was the security roadmap. Not a single penny was taken out of that. The incident cost us a lot to clean up and we were completely dark for almost six weeks. We had 15K employees and managed everyone through a cell phone for six weeks.

When we first saw the first crypto thing pop up, we sent an email to make sure it was a valid message and to get an idea of how much they wanted. Then we strung them along for about two weeks. We sent another email saying, "We're still thinking about this." We did that on purpose because we didn't trust the backup we had of AD; we didn't know if we had backed up and were intending to restore an infected copy. The attackers tried multiple things to infect us, but eventually they’d created a global group policy object (GPO) and deployed it to every single machine. That gave them enterprise-level AD access and at that point, we didn't know when they entered, so we needed to find out how far we would have to roll back.

We all knew the statistic that 72% of companies that were infected get hit again within a year, and we were determined not to be one of them. We ended up not paying but there was a week where our tech team and the two people we flew out from Microsoft were all scratching their heads. They said, "I don't know. Maybe it's safe, but we'll have to do a little more forensic digging." Until we knew we had a safe AD, we were going to keep stringing the attackers along because AD is the key to the kingdom. You have to do all your forensics and figure out the time, date and the infection pathway. Then you’ll know when it's safe.

Lightbulb on1

Content you might like

With AI adoption accelerating across enterprises, what do you view as the top information security challenge that leaders should address? How can CISOs, VPs and Director’s align governance, risk and security investments to enable AI innovation without creating new exposures?

Read More Comments

If two RFP bids are neck-to-neck on core requirements, which factor becomes the ultimate tie-breaker?

Proven outcomes – Documented success stories and measurable KPIs35%

Implementation confidence – Detailed plan, risk mitigation, and resource readiness48%

Total cost – Clear TCO, price protections, and exit terms39%

Innovation & future readiness – Ability to scale, adapt, and support emerging needs13%

Vendor relationship strength – Cultural fit, governance model, and executive commitment12%

View Results

Which tech conference do you intend to attend in person next year or have already participated in this year, and what motivated your choice?

Read More Comments

Has anyone drafted an SOW for a cloud-based SIEM with setup, migration, and maintenance? I’m working on a FedRAMP-authorized SIEM SOW, migrating from on-prem Splunk, covering data, searches, alerts, dashboards, and models.  Scope includes Environment Setup:  Cloud provisioning, configuration, testing. Connectors/Parsers: Custom data source integration. Content Development: Rules, use cases, threat feeds. Performance Tuning: Query/index optimization. Runbooks: Operational procedures. Also required: 24x7 support, maintenance, lifecycle and application management, role-based training, and documentation.  Must comply with NIST SP 800-53, CJIS, and FedRAMP Moderate+. Goal: Secure, scalable SIEM for rapid deployment. I may be missing elements, so suggestions are welcome. Please share redacted SOWs or tips if possible.

What is the most critical information you expect your cybersecurity team to deliver to you on a consistent basis?

Strategies to prevent ransomware from impacting data backup & recovery33%

What it will take to restore minimal operations after a compromise48%

How prepared the organization is to engage law enforcement in the event of an attack15%

How prepared it is to engage cybersecurity investigators2%

Other (share below)

View Results