CISOs Face Tough Challenges When Procuring Security Technologies

CISOs face several internal challenges when procuring security solutions:

• Justifying the purchase
• Effectively dealing with internal stakeholders
• Navigating the internal procurement process itself
• Dealing with the technology solution provider

CISOs are frequently in difficult situations. Sometimes a CISO doesn’t control a security budget. A CISO may not be the ultimate decision maker if an architectural review committee has the final word on procuring security technology. CISOs always have the technical savvy but may not have procurement authority. But CISOs are always influencers; they impact everyone in a company because the security organization is pervasive in all departments and business functions. Their decisions are some of the most important in an organization; CISOs must be advocates for the best security solutions for their companies.

Budgeting for and justifying a security technology solution

Whether or not a CISO controls the budget itself, he still must be the principal champion to justify the procurement of a security solution. A CISO must be savvy enough to support (or sell) security technology procurements based on gaps and internal organization risk tolerance values. Often times, a CISO has to appeal to and base security procurement justifications on what resonates internally within the organization. Procurements are justified based on regulatory compliance needs, cyber threats and risks, competitive pressures or a combination of these elements. Most times, a CISO must do a qualitative cost benefit analysis addressing these elements. Some organizations may also require a quantitative cost benefits analysis; but for many reasons, a quantitative analysis should be avoided because security solutions typically do not lend themselves to strict financial cost/benefit justifications since they are primarily risk based decisions.

Effectively dealing with internal stakeholders

Many stakeholders are often involved in the selection and procurement of technology solutions, including security solutions. Typical stakeholders include the architecture group, network and computer operations, the application development area, and sometimes the business units. Each of these stakeholders has different drivers and concerns, and sometimes they even have both founded and unfounded biases. A CISO must address each of these issues and be savvy enough to discern unfounded biases and to deal with them effectively. Being able to sort out the noisemakers from the stakeholders, and possessing good communications skills are paramount to internal success.

Navigating the procurement process

The procurement process can be quite exhausting, especially in large organizations where the process often seems like an endless maze of twists and turns and hurdles to surmount. The processes require strenuous due diligence tasks, detailed documentation, multiple signoffs and approvals, and time deadlines. The CISO must successfully navigate the procurement process to keep the project on schedule and within internal budgetary timelines. This requires proactive support on the CISO’s part, patiently shepherding the procurement through the system and providing all the necessary documentation.

Dealing with security technology providers

Finally, a CISO must not only select the best solution, but he must choose a solution provider that is aligned to organizational needs and success. This often means that the CISO must recognize that the provider is not selling a product but rather a solution. A successful solution provider is one that helps the CISO address stakeholder concerns and issues and respects the organizational procurement processes and challenges. In other words, the solution provider should be a partner with the CISO to successfully complete the sale and the implementation.

The bottom line

Bottom line: a CISO must successfully address many challenging elements when procuring a new security technology solution. A good solution provider can be very helpful in supporting the CISO to meet these internal challenges. There is a lot at stake when a CISO decides on and procures security technology. Not just ease of operations, successful internal collaboration, and protection of data and systems, but reputational risk.