Security wasn’t even called “security” when Sam Monasteri entered the field in the late 1990s and early 2000s — it was more IT and IT controls, he said.
One of the constants over the course of his career, however, has been winning over the board to fund security at a level that is required. Experts say the security budget for most organizations should be anywhere between 4% and 6% of the IT budget, explained Monasteri, who is currently the vice president of global cyber security at ACCO Brands.
“In most cases, most CISOs would say they’re below that today,” Monasteri told Todd Fitzgerald, vice president of cybersecurity strategy for the Cybersecurity Collaborative, during an episode of SC Media partner Security Weekly’s CISO Stories podcast.
Getting a baseline risk assessment of the organization is a good place to start to getting board buy-in, Monasteri said.
“You have to focus on impact to the business when you communicate impact to the business,” he said. “Bottom line: how’s it going to affect revenue if your organization becomes compromised.”
Monasteri has a “3 Ps” rule to build an incident-response program: Plot, plan and practice.
He said that as an incident response leader, CISOs will want to create and plot an incident response plan and have it reviewed by the organization's legal department. Security leaders should also have playbooks drawn up for likely scenarios, such as what to do in case of a successful phishing attempt or if an organization's laptop has been stolen. For practice, Monasteri said he tries to have a tabletop exercise twice a year — one for the IT people and one for the board.