#255 - Maximize the Outcomes Per Dollar in Cyber (with Ross Young)
===
G Mark Hardy: [00:00:00] Hey, it's probably budgeting season for your organization, and if you don't have all the right insights for how to maximize your success, you might be losing out next year. Listen now for an expert who's gonna give you some insights as to how to maximize your security budget while minimizing your waste.
G Mark Hardy: Hello and welcome to another episode of CISO Tradecraft, the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader. My name is G Mark Hardy. I'm your co-host for today, and I have Ross Young with me on the show. Hello Ross, who is the author of Cybersecurity's Dirty Secret.
A book that's soon to come out is well as the man behind the curtain here at CISO Tradecraft. I guess we can say that, and a lot of other things as well. So you've had a fascinating career to date. For those people who know about you, they [00:01:00] probably won't mind hearing again, and for those who don't, they're gonna be absolutely thrilled.
So tell us a little bit about how you got to where you are now and all the fun things you've done before that.
Ross Young: Yeah, so I've spent 20 years in cybersecurity. Probably my funnest five years has been the, co-host here at CISO Tradecraft. We're actually are on our five year anniversary, so that's pretty incredible. but. The, things people will probably most notice about my resume is I spent 10 and a half years at the Central Intelligence Agency, so I was a nation state actor, and I, ran their DevOps program and then I was also at Capital One for about two years.
I got to experience the large scale data breach that happened and how to respond to that. And then I was also a CISO at Caterpillar Financial for four years. And most recently I was a CISO-In-Residence at an Israeli venture capital fund called Team8. And now you can see a lot more of my content.
'cause you see, I'm very focused on [00:02:00] doing a lot of things for CISO Tradecraft, building out some courses to help our listeners and doing a stealth startup.
G Mark Hardy: Yeah, so you're really in a give back mode in a way because you've made that leap, and we've talked about it before on some other episodes about what it takes to become the entrepreneur when we've gone ahead and we spent a career. Getting a biweekly paycheck and you get used to that and it's rather nice and all of a sudden someone's gonna say, let go of the rope and fall to the floor.
And you find out that if you're an experienced cybersecurity professional like yourself, you can always go back. Someone will always hire you back. They said, oh dear, you're, damaged goods. You actually try to be an entrepreneur. But in your case, you're putting together a lot of things. I see a lot of you coming out there on LinkedIn.
There's some great information. So if you're not. Following Ross on LinkedIn. how do I get you there? It's LinkedIn, Mr. Ross
Ross Young: is Mr. Ross Young, but
G Mark Hardy: Mr. Ross Young.
Ross Young: Young, you'll find
G Mark Hardy: you'll find you right there or connect through CI of [00:03:00] Tradecraft. You'll find that as well. But a really, excellent set of information. So if you're not following him, follow him because you can get some great insights and of course, continue to follow CISO Tradecraft. I had mentioned in the early part about your new book that you've got coming out and you've been working on this thing for the better part of a year, and I've watched this thing as a, over your shoulder and it slowly evolves and I'm really quite impressed with the level of detail that you got here and the contents and stuff.
You'll see me keep looking over here if you're watching us, because I've got a copy of the. Electronic book up here, taking a look at that. But, how did you pick that of all things of stuff to write about and then how did you find so much to write about?
Ross Young: What I found was as I moved into the CISO role, I didn't need people to teach me more technical, right? no one in the Chief financial Officer, chief Legal was asking about detailed cybersecurity questions. I couldn't [00:04:00] answer. But I needed to get my budgets approved. I needed to get my projects, through procurement.
I needed to actually figure out how to save money. I needed how to streamline broken processes. I needed to figure out how to better re retain and attract the top talent. And so all of these things that I found were really money related. And what I wanted to do was maximize the outcomes per dollar with every dollar spent in cybersecurity.
And I didn't see anybody teaching that. Yeah, I could read a book and learn about confidentiality, integrity, availability, but that wasn't what I needed in my role. And so as I started, just documenting all of these things that I learned, I wanted to give that back as training because I think they're valuable lessons that can help a lot of other people and a lot of other companies.
G Mark Hardy: it is excellent insight and I think you're, spot on because I've. Every year go ahead and prepare a cybersecurity budget. And [00:05:00] as a CISO, I've been trying to go ahead and maximize the value. We've had some pretty good years financially the last few years. We don't know what the business cycle is gonna be like for 2026.
There's some storm clouds on the horizon, and for a lot of us, we may be asked to do more with. Less. And if you don't have a strategy for that, if you don't have a framework or an approach, that's gonna be very difficult. And the cuts that you make may be inadvertently into the things that are keeping your organization, alive.
But also you need to communicate to those people who approve or disapprove your budgets, the importance of it. So you mentioned in your book that a lot of organizations invest millions in cybersecurity yet. Still get breached. So that seems that, more money doesn't necessarily work. It's not like the Manhattan Project where you just keep throwing more and more money at, and eventually you get what you're looking for.
What type of mental model shift are you thinking about that is gonna help the readers get a better insight into how to avoid this type of a failure?
Ross Young: Yeah, [00:06:00] there. There's really so many things here, and I'll just give you one example. What applications does your cybersecurity program run? In a large company, you're probably running 50 to 80 cybersecurity tools, and nobody's even really looking at the effectiveness of each of those tools. So if I have 50 tools and they're not well configured, they're not well deployed. Then I'm not actually getting the coverage that I need, so I really don't need more money to buy new tools. I need to make sure my tools are deployed on every endpoint, every server, and the all the features that actually safeguard the company are turned on. And so there's little things like that we first have to start measuring.
First, have to start using templates first. Have to start driving accountability for, because otherwise we're just diluting our resources, right? We're spending more time on more things instead of what are the top things that really secure our company.
G Mark Hardy: Yeah, [00:07:00] so being able to prioritize that is important. But you say protect the company. That gets into what are we actually protecting? Are we protecting the ones in zeros, the hardware, or as you would say, cybersecurity is the business of revenue protection, which I love. And I used that a few times. but why do you use that phrasing and, why is that important for CISOs to understand that?
Ross Young: the, reason is this, every CISO I know actually complains they don't have about, enough money for their budget, and I actually think that's wrong. I think we need to have budget. To build and secure the right things. But I also think we can overspend on cybersecurity and if we overspend on cybersecurity, we take the revenue from the company to be profitable, right?
If the company made a billion dollars but spent a billion dollars on cyber, they didn't make any money. So I think there's this [00:08:00] careful balance here of how much do we spend in cyber and making sure every dollar is truly accounted for in a way that's really going to help the business. I, think that's the big thing that's broken today.
Everybody wants more money, but I don't think everybody comes back to say, let me show you the ROI on every dollar spent so that I'm not overspending in cyber
G Mark Hardy: And one of the things that I've emphasized over my career that as a cybersecurity leader or executive, your job is to ensure that your executive team makes informed risk-based decisions. And that aligns nicely with being able to look at the business of revenue protection. That if your executives are informed and they say, okay, I know that there's a risk if I place a cut here, but I'm willing to sign for it.
I will accept that risk. And different leaders have different levels of risk. We would think, for example, a personality like Elon Musk is gonna embrace a lot more risk than somebody who's running a good old Wall Street [00:09:00] Bank that is doing the same thing year in and year out, trying to be conservative.
And yeah, we get innovation all over the place, but in general, risk taking is personal and that personality is gonna translate into the decisions that the organization makes. So to a large extent what we need to also do as security leaders is to build those relationships with these people who make those decisions.
Kinda understand where they're coming from so we can present that perspective. now you mentioned that CISO should think of themselves as a material CISO wielding a six shooter pistol. Alright, so I would say a six shooter revolver, being a firearms guy, but we'll, go with six shooter pistol for now.
what's the purpose of this metaphor and, what are the two large buckets that cyber material problems generally fall into?
Ross Young: Yeah, so the first thing that I would say is I've seen a lot of CISOs try to tackle too much and they fail. It's a diluted resource problem, right? If I go in an organization, I see 50 [00:10:00] things that I'm gonna deem as prioritize, as priorities, and then I tell my organization, go fix these 50 things. They can't even remember the 50 things.
Let's be honest. But if I go in and I say, these are the six things we have to do this year in every meeting, I come back and I beat that drum of six things. It's very focused, and that means you're gonna have a lot more to accomplish. Your efforts won't be diluted. Now, within the space, there's really two things that I think all financial investments in cyber fall under.
The first is what I would call risk reduction. We spend money on email security gateways because they're proven to stop phishing attacks. The second is compliance. I have to do things because there's a regulation, there's a, third party agreement or some type of contract that requires me to do something.
It doesn't mean it actually stop cybersecurity. And I'll just give you an [00:11:00] example like, of this no bad actor that I know. Actually reads your cybersecurity policies. So every hour you spend on those things does not stop the next breach. Now you have to do it because every company in your third party due diligence process is gonna say, send me your InfoSec policy.
But it's not actually stopping risk reduction.
G Mark Hardy: that's a good site and I think we get wrapped up with all the paperwork and even compliance. So you talked a little bit earlier about overspending and the danger thereof. Compliance is ultimately, if you will, and I'm gonna. Poses as a thesis, and you can either agree or disagree. It's a pass fail.
What do I mean by that? Back at Northwestern University, you'd go ahead and you'd take your courses for grades, but they allow you to take a certain number of classes, pass fail. So if you, for example, are trying to hug to that 4.0 average and you think you're having trouble with it, if by the fourth or fifth week of the semester you said, eh, I'll make it pass fail, then you pass it, you're good, [00:12:00] but you don't have to go ahead and put.
All that extra effort to squeeze out an A, and of course it. Personally you might not care about 'cause it's not in your major. It's one of those graduation requirements that we call fuzzy studies. But let's take that over into cybersecurity. So if I'm doing something where excellence is going to pay off, that is to say, the better I do at educating my users to avoid doing dumb things, the better I am.
At going ahead and responding faster and better to potential breaches, the better off. But when somebody says, Hey, fill out this form, or Do you meet this particular compliance requirement once they get to a passing grade, should I keep spending more and more money trying to paint into the corner, or do I just say, good enough?
Is compliance really excellence in security or is it a pass fail?
Ross Young: I tend to agree it's a pass fail and you just think of, Hey, I need to get a SOC two attestation, audit completed, right? And when you do that, you either have [00:13:00] zero findings or you have a couple findings that you have to go and fix. And when you present the evidence. Is it good enough to pass? It can be one screenshot or it could be a 20 page report.
Obviously, one screenshot's a lot easier to deliver, so why would you do that extra work? And ultimately what it comes down to is the following. Every organization has a certain number of headcount, and the more time you put on compliance, you're taking away from the amount of time they can spend on risk reduction.
So you need to do just enough that all your regulators are happy, but no more because you need to spend time on stopping the breaches,
G Mark Hardy: So along those lines, if we look at overdoing things, one of the more controversial takes, I think you post out on LinkedIn is on cyber risk quantification. Now, why do you think that might actually be doing more harm than good in our industry?
Ross Young: I've seen too many [00:14:00] organizations really drinking the cyber risk quantification Kool-Aid. And here's what I mean by that. We're going to evaluate a risk and usually they have to identify what is the likelihood and what is the impact. And they multiply those two numbers together to give you a true risk and sometimes we have decent data.
We can go in and say, Hey, last year we had five phishing attacks that were successful against our organization. Each one of these cost our organization 50 K. So this year we're expecting 250 K of annual loss expectancy. But a problem that really comes up with is a lot of this is vague math times uncertain math.
Which gives us vague and uncertain risk measurements. And this is where I don't like these studies, and I'll give you an example. If somebody says, what is, the material loss that's gonna happen with AI harming our company? I don't know. A lot of this stuff, when we start digging around on MCPs [00:15:00] and LLMs and chatbots and all of these things that haven't really been around that long in enterprise organizations.
We don't have, 20 years of historical data like the car insurance does. So I just don't have good numbers to multiply by each other to figure out the likelihood, and, we, just see this over and over. If you have a vulnerability on an internal facing system. Is that 30% likely to be attacked or 90% likely?
There's not really a good number, right? It's this range and, but the range is so far that it makes the whole analysis bad. So what I actually prefer is taking a totally different approach. I tend to just go back to procurement examples. So I go to the chief financial officer in my first 90 days when I walk in as a CISO and I go in and I say.
Help me understand how much a manager versus a director versus a vice president [00:16:00] is authorized to spend on the corporate procurement cart. And they'll go and give you some, amounts. Maybe a manager can spend 50,000, a senior manager can spend 500,000 all the way up to, 5 million for SVP and the executive risk committee can spend it all.
Now, when we know these things, we should take the same analysis for risk, right? A manager should only be able to accept the amount of authority on their procurement cart, and now we have the same decision making process. And so now when I like to look at decisions. I like to go back and say, do we think this is gonna be between zero and 50,000?
Between 50,000 and 500,000, versus having to get that exact number correct. And I find when we do these orders of magnitude, this qualitative analysis, we get really, good results and we don't have to spend thousands of hours. Bickering on, where did [00:17:00] you get this? 93.27 and, nobody believes the numbers and it's just a nightmare, and it destroys your credibility as a CISO.
G Mark Hardy: Yeah. And we go back to that old quantitative versus qualitative. and now you're getting back to my early days in cybersecurity, which are probably a little bit before yours. FIPS Pub 65 Guideline for automated data processing. Risk analysis is published in 1979. It's now obsolete, but somebody has gone ahead and put it up on the, NIST page under RIP, but it is the old original quantitative thing. How bad can it be? How likely is it to occur? And you're right, that what good is that third or fourth or fifth decimal point? It was just a big exercise in mathematics. But if you had good solid input, for example. If you're calculating life insurance premiums and you know the gender of the person, whether they smoker, non-smoker, and some other data, you could probably get to three or four decimal points.
I can go to the social security website right now, enter in my [00:18:00] date of birth, my gender, and they will tell me within one month when I'm expected to die. Now that's middle of the bell curve, but at least they got a target. And the good news is every year it keeps moving to the right until it stops. But the qualitative approach, which is what I did back in 1986 when I worked for a little company up in Connecticut called Profile Analysis Corporation, we came up with tool called Risk Pack PAC for the name of the company.
And I took over as a software developer for that. And what we did is we used keppner, Trago algorithm and all these other things, but the idea was that. You didn't know whether it was 9.9 or 3.7, but you did have a pretty good field, low, medium, high, very high, very low. And it turned out that by you took these qualitative labels and you talk to the people who are in charge of the system, who are responsible for accepting the risk or managing them, and you put 'em all together, it normalizes out and you are able to go ahead and prioritize.
And I say, I can't give you four decimal points. Why? This is the thing you ought to fix first. But you know what? [00:19:00] Based on everything that we looked at, you ought to fix this thing first and I can back it up with all the data that I collected. So I think that from that perspective, we get too absorbed into mechanical processes.
And when we find out that this FIPs publication from over 45 years ago, if we're gonna say that's our reference for how we wanna do business today, I respectfully suggest you need to take another look at it.
Ross Young: And just take the example, if it took you an hour to do the analysis for every one of these decisions, and you spent how many hours doing this across a large Fortune 500 company, I. And that didn't give you any better results in your decision making process than this qualitative analysis that's a sunk cost.
You have just wasted hours and you can figure out an hourly rate for your executives and everybody else in the process that's just losing money from your company. And I've seen far too many companies spend millions of [00:20:00] dollars on this cyber risk quantification and not gotten the benefit. So I think it's much more likely that you're going to have a failed implementation than the cyber risk.
Quantification actually saves your company money from the risk avoided.
G Mark Hardy: So you may end up doing the wrong things very well, which all means they're the wrong things that you're doing. Now, another point that you talk about is using a cybersecurity budget. Of course, you all are required for the most part to submit a budget. We even got one in the CISO Tradecraft website's, a free template for download.
But what are your thoughts about total cost of ownership, and is it more than just writing a check to the vendor every time your annual renewal comes up?
Ross Young: Yeah, so we have a free template that you can download on CISOTradecraft.com. Just look for free template section and you'll see it. And really what it is, it's a zero based budget. I don't use the traditional things of CapEx and Opex. Instead, what we use is something called Total Cost of Ownership, which is a really good [00:21:00] approximation for how much you're spending in cyber.
Essentially, the total cost of ownership consists of three different levers. The first is, what are your labor costs? If I have an IT application, this many developers are spending their time to build and support that application. The second one is the licensing costs. Maybe I have to pay Oracle fees or pay, a license to a SaaS provider for a particular application.
And then the third one is. Hosting costs, I typically have to pay AWS some fee to host my infrastructure in their cloud environment. And when you add up these three things, then you figure out the total cost of an individual IT application. Now this is really, powerful because each of these levers is ways that you can save money.
So just for example, take licensing costs. maybe you have zero licensing costs because you're running a free open [00:22:00] source tool application and you're look around and you're like, man, this is heavy on the labor costs. We're spending five people to do this application. 'cause it takes a lot of work.
Maybe we actually buy a license that's 200 K, but we reduce our head count by three people, and that's probably over 200 K. And so from here, when you start to look at this equation, you can start to see how you can maximize the value within a different budget cycle. And one, one area I've really, like to call out is within labor costs.
I actually split that into two things. One is called new features and the other is called operations and maintenance. And they always total to a hundred percent. And what I find is there are legacy applications where you're spending 90% of your time on maintenance. That's a sunk cost that doesn't help you.
yes, the application is up, but it's a lot of time on labor [00:23:00] wasted. So I look for those applications and I go in and I say, what if our labor costs for maintenance weren't 90%? They were 30% and we had 60% of the time to, to help developers on new feature development. Ooh, I like the sound of that.
Who doesn't wanna build more new features? And so if we go from 90 to 30%, that means 60% of our labor costs are being lowered effectively to maintain this project. And now we can go to a team and say, what would that cost to get to version two of your software? And they may go back and they say, it's gonna be a million dollars for this upgrade.
Okay, a million dollars for an upgrade, and if I have 10 people and now I'm saving six headcount to do that, wow. Six headcount times that by, a hundred thousand dollars per person, that's 600 K. Now you have that 1 million divided by 600 K and you start to see what an ROI looks like in terms of how many months, how many years.
[00:24:00] And now you can bring that to your chief financial officer. So this kind of financial kung fu is really powerful for getting your budgets, increased, getting your projects, funded and really helping your organization in cyber.
G Mark Hardy: Now AI is the elephant in the room as we talk about labor and people in development costs and things like that. And I watched Sam Altman's keynote that he gave this past week over at the Developer's conference, where they had basically had brought in some folks and built applications, no coat.
Basically, if we say if you will vibe coding, but it turns out that they can then attach their AI engine to backend tool sets. So you can say, Hey, connect this thing to Zillow, connect this to other things. So we say, Hey, I am thinking of taking a job in Kansas City and I like a three bedroom, two bath house.
It's gonna be a reasonable commute to this office. And it hooks up by the way, and it ultimately says, do you want me to set you up with an appointment? Which is pretty clever when you think about the fact that most of that would have to be done [00:25:00] manually. But as we look at this ai, how is that going to potentially impact our labor costs?
And as I'm fond of saying, AI will not take your job, but somebody who knows how to use AI is likely to take your job. What are your thoughts?
Ross Young: It's a massive productivity improvement and just take the concept of vulnerability management. I have an IT application that has 200 vulnerabilities on it. Let's say it would take 30 minutes for each VUL to be fixed by that developer. That's a hundred hours of work. How many people can take a hundred hours off?
Doing anything just to do just vulnerability management. Probably no developers have that luxury now in tomorrow's world where AI can, analyze the 200 vulnerabilties and spit back code rewrites in 10 minutes or less. That might be a 10 minute problem that's now solved, and I guarantee we can find 10 minutes on a developer's schedule, but we may [00:26:00] not be able to find a hundred hours.
So that sort of improvement is really going to change how we code. It's gonna change how we do vulnerability management. I've even seen some great posts like Sounil Yu posted, Hey, what if we didn't even use third party libraries? What if we just asked vibe code to write all the dependencies for us? And then I never had to deal with patch management from third party vendors because all the code is built by ai.
I, I think we have some really interesting opportunities of how the landscape's going to change.
G Mark Hardy: I think so too. And yeah, I had dinner with Sounil yesterday, so thank you for reminding me that he was in town. But for those who aren't familiar with whom we're talking about, that would be Sounil Yu. He is the author of Cybersecurity Defense Matrix, and he's also the foundation for the model that you've come up with the TaSM (Threat and Safeguard Matrix), which will.
Could talk on other things, but right now let's focus. Let's stay focused here on budget and things. 'cause before you were talking about budget and talking about, [00:27:00] okay, what's it gonna cost for your hosting costs? What's gonna cost your licensing? What's gonna cost for your labor costs? And that seems a little bit more helpful, as you said, than the traditional CapEx or Opex.
Now, another thing you've come up with. Is the 9 box template, and I think you posted that this past week and got what, like 50,000 hits or something amazing like that. So tell us about what is the nine box and why that might be helpful here in terms of prioritizations.
Ross Young: Yeah, I couldn't believe how popular the 9 box is. And basically it's how do we prioritize what projects we should do in cybersecurity? And if you just go ahead and, think about this, I think what you're going to see is some just really interesting insights. So imagine you're in your budget planning season, like right now.
And you have 50 different projects that you could potentially fund, but you only have enough money to do maybe 15 of [00:28:00] the 50 projects. How would you go and rank the projects?
We basically create an XY axis like you did in your algebra classes, showing the level of effort versus impact. Hey, let me give you an example what I mean by that level of effort.
How long does this project take to complete? Is it less than 90 days? Let's call that low effort. Is it between 90 days in a year? Let's call that medium effort. Or is it greater than one year? Let's call that a high effort task. And then on the impact, we're gonna call that material risk reduction. Now, I don't put any exact numbers here because it's very different per organization.
Like a material risk reduction at Bank of America is probably a billion dollars, or in the high hundreds of millions compared to the small SMB that is in maybe the tens of thousands of dollars, right? But the idea is you're gonna take each of your projects [00:29:00] and put them into one of these nine boxes of this axis, low, medium, high, on these two, axises, if you will.
And ultimately, what you're going to arrive at is if I can find a task that is high impact, it really reduces risk, but requires little level of effort. Like I can solve this in less than 90 days. That is a quick win. Do that all day long, right? That's the low hanging proverbial fruit that we always talk about.
But if I have something that's maybe the opposite, where it's a, low material risk reduction and it requires a lot of effort. that's a project that I probably shouldn't fund unless there's a very good reason to do it. Like my regulator just required it. I, Yeah, so, this is where you have to understand when things are compliant versus this risk reduction, and you balance this out.
And so please, take a look at the [00:30:00] CISO Tradecraft website for the free downloads. You can get a copy of this PowerPoint. It is amazing in how it can transform your strategy right now when everybody's planning their 26 budgets.
G Mark Hardy: It does and, what happens is you end up sweeping from the diagonal and you say, okay, fine. If it's a low amount of effort, but high value, of course, those are the no-brainers. And then you Sweep kind of diagonal like that. Anything down here you'll never get to and you don't wanna get to it.
I said, in course if somebody says, Hey, we've got a, our largest customer demands it, okay, we'll do it. Because I've worked for small startups before where I remember as a developer, we, the guy running sales came back and says, Hey, can you put such and such into the code? And yeah, it's on our list, but it's like number 47 on our list of things to do.
And he said, if you get it in this week, we'll make payroll this week. Oh, yeah, we could do that. This, we'll do that today. And so obviously things were gonna tend to drive your priorities and you'll make things happen [00:31:00] sooner than others. Another area that we look at where we may find out that we're spending a lot of time and therefore money because it translates into labor hours and more of an opportunity. Cost is meeting waste where we have meeting after meeting. And the more senior you get, the more your peers, you get sucked into meetings and any thoughts how you can lower that particular element of cost and fundamentally waste for a lot of organizations.
Ross Young: Yeah, so one of the quotes that I say, and I get a chuckle from everyone is being busy is the new stupid, right? We all fill our calendars with so many meetings because it makes us feel important, but I think we always have to step back and say, is this actually moving the needle? Am I reducing material risk in the company?
And there's gonna be some meetings I can't get out of. But usually when we start to reframe in this perspective, we can see how much meeting waste is happening. And there's been some really good [00:32:00] studies that says over 30% of executives who are the typically the most expensive people in the company.
there, there time is in meeting waste. And so what I like to do is to go in and just start with a simple thing. Does every meeting have a detailed agenda of what you're looking to accomplish because I can tell you a bad meeting starts with no agenda. And so if you don't have an agenda, that's probably a good indicator you're gonna create some meeting waste. thing is, does everybody in that meeting need to be there? Do you have 10 people in a meeting when only three people are decision makers and the others are just kind of fillers? Right now, you've just wasted seven people's time, and there's been some amazing companies who've even gone ahead and created things like Google Calendar additions where you could see the cost of a meeting.
So imagine if this was a $10,000 meeting because every person charged a thousand dollars for that meeting. [00:33:00] Is that meeting really going to give you $10,000 worth of value or did you just create an expense in instead of an, an asset to your organization. So when we start to look at that and use this framing of the cost per meeting and the value created out of every meeting, I think that's really transformational and we can save a lot of money from meeting waste and getting those hours for focused on things that create material impact.
G Mark Hardy: And we can begin with our own organizations. We can't necessarily change the parent organization, but as we drive better effectiveness and better efficiency with our own teams, which is really what we're talking about. In general with regard to cybersecurity budgeting, we can go to the boss and say, Hey, have you thought about this So quick C story.
Hey, Navy officer allowed to tell that when I had Commander Center for Naval leadership, I had eight commanding officers that ran different regions around the country, plus the chief of staff. And so these are all captains, these are very senior officers. And I said, Hey, you know what? [00:34:00] Every week we're gonna have a one hour meeting.
It's gonna start exactly on time, but I will promise you it will always end on time or early. It will never go long. How do I manage to meet that promise? For years, it was the agenda, but a prioritized agenda. The most important things went up first. The things at the end of the agenda were things that if they waited a week.
So what? Or I could just make an executive decision and be done with it. And what happened also is to start on time was a bit of a culture shift. 'cause people would wander in a couple minutes late and they said, we've already conducted attendance. You're being marked as absent. I'm the captain. I don't, yeah, no, you're marked as absent now.
Guess what? After two weeks, nobody was late ever again because they understood. that's the way Hardy rolls. That said, think about that own accountability for your own team. Don't reward people for being late. Start exactly on time. If people know that's how you roll, they'll find a way to be there.
And if they starting with the most important stuff and they miss [00:35:00] out on contributing to the most important ideas, that's on you. And as a result, that type of behavior, I think if you do it over and over again, is gonna bring some discipline to your meetings. And again, as you said, only bringing those people who are actually contributing.
And if you can cost it out and say this is what it's going to be, is an impact financially, look at the opportunity cost of what we could be doing. Now we also talk about zero budget or zero based budgeting approach, which I've gone through a couple of cycles like that when I was in the military where the zero based budget said, okay, you start out with nothing.
Now build from your mission what you need to accomplish that, and then demonstrate that you need it. Not just because I had it, but because I need it. Can we do that in cybersecurity and do we take these sacred cows? we've had this for years. Why should we get rid of it? And from a zero based approach, maybe we end up with a better platform.
Ross Young: Absolutely. So the classic thing of what we do when we do budgeting is we say, take last year's budget, add three to 10%, and that's this year's budget. [00:36:00] But we don't actually review everything that we do. So I actually created another, free template you can see on the website for, the budgeting. And what we did is we mapped the CIS 18.
Practices and we said, here's the items. And then on each of those items, what you would do is maybe list some tools and then that total cost of ownership that we already talked about. And the advantage here is now I can go in and I can say. Hey, these tools are here for maybe a three year contract, or here's the requirement, NYDFS or HIPAA, or PCI-DSS or something requires this function to exist.
So now I get to know is it mandatory or is it a luxury? And then the other thing I even talk about further in the book is about, understanding this effective protection score.
And so if I have a tool and I only [00:37:00] deployed it on 50% of endpoints, let's call it DLP, and out of those 50% of endpoints, only half the features are turned on. We have 50% times 50%, and that is your effective, security score. And what you're gonna see is we're paying a lot of money and we've diluted the value of this product so significantly. We're not doing our financial stakeholders justice, so what do we need to do? We either need to, A, get this product working really well, or B, get rid of it and get something that does work for us, right?
And it may not be a DLP, it may be a different tool unless you have a compliance requirement where you have to do it, or you have actual evidence that, hey, last year this DLP actually stopped this amount of attacks in our company. But if the tools that you're deploying don't actually stop attacks, [00:38:00] let's not call them risk reduction.
Let's say this is compliance. And if there isn't a clear compliance checkbox that it's solving, get rid of it. Murder that tool. It's not giving you the value you think it is. And so having this budget where we start to think about it really allows us to bring all of this software waste up to the visibility where we can make better decisions.
G Mark Hardy: Yeah, that's, that's got me thinking of, I've got a couple renewals coming up that I'm exactly in that same thing where if you find yourself struggling to justify your budget, and if you are the person who's approving budget, I would say exactly the questions that you're entertaining. You should go back to your team and said, explain to me the business impact of this and how efficiently you're using this tool.
If you've only got 25%. Optimization or 10% or whatever, why are we using it? I'm beginning to think at this point that you're one of the guests. I want to go ahead to a second episode with, because we're getting close to the end of [00:39:00] the first one. But one of the things that I wanna talk about, which is probably really key and maybe what we'll wrap up this week's with, is presenting to the CFO.
How do you have tips and tricks and insights and ideas for CISOs that are gonna help them not only justify their budget, but if they're asking for more than they did last year, maybe even more than inflation. Increasing their odds of success of being able to get that with the CFO.
Ross Young: Yeah, so we do have another free template. I know I keep beating that drum, but there's one where you can actually go see a single PowerPoint slide that shows you how to do exactly this. And this comes, from a Forester analyst who did a great job analyzing all of the security budgets and what really worked well. And so take an example of the following. If you do a, ISO 27,001 certification, and that costs your organization 30 k. How do you best position that, in order to get the money to do that next [00:40:00] year? What you might do is you might go ahead and say, look, we have 30 customers who require this from the cybersecurity organization.
Those 30 customers create $30 million of revenue for the company. Do we really care about 30 K to protect $30 million of revenue? Now when you have that discussion, it becomes a lot easier to say, I am not going to risk $30 million if I'm the chief financial officer on 30 K. Make this go away. Yes. Get that ISO 27,001 certification.
So when you tell a story like that, not just on, Hey, we're gonna identify some risks and all these kind of nerdy things, but you speak in the terms of financial literacy. That's what resonates, that's what generates outcomes per dollar and gets your program funded.
G Mark Hardy: [00:41:00] Right and again, we're tying it back to business imperatives. It's not security for the sake of security. It's security for business. Revenue protection, if you will. And also by being able to enable your delivery of the service. One of the things that people, I had this conversation, with a client who was fretting over the cost of our lease for our offices.
Class A office space is very expensive with a lot of people not coming into it during COVID and then not a full back to work. There seems to be an awful lot of waste there, but you're locked into a contract, so he's trying to go ahead and save some money and then he is going ahead and trying to beat up on the IT budget and saying look, you can make money without an office.
We've done it. We were shut down for 66 weeks when we implemented thing in February of, 2020 when the word went out. Hey, everybody's. Working from home and coincidentally, maybe coincident, maybe not, I let the world decide. We had exercised our disaster recovery plan the week before, having everybody work from home with their phone and their [00:42:00] laptop and their chargers, and then came back in the next day, what did we learn, fix that?
Went home on Friday and then said, okay, take it home over the weekend. And things went high order on Sunday, and we didn't come back for over a year yet the organization still hit on all eight cylinders. And the answer is that you might have to help. Inform your sponsoring executives that they can do business maybe without a physical office, a class, A office space.
You cannot succeed in business without your IT infrastructure and your IT cannot survive unless you protect it. You provide it with the resilience and the defense as well as the capability to go ahead and be there when you need it. And so as a result, it bubbles you up a little bit if they understand that you are enabling the business to succeed in things such as that.
little bit more about your book. Is this thing coming out, next week? I'm gonna find his Amazon bestseller sometime this year. What do we look forward to?
Ross Young: So right now the [00:43:00] book is finished. It's in the editing process where I'm having people check my grammar and, a couple other things here. But we fully expect to have the book released before the end of the year Now. Here's one thing. If anybody wants an early look at how the book is and wants to go into any of these topics a lot more, we've actually turned it into a course that you can find on the CISO Tradecraft website.
So it's called Mastering the Budget. and it's a course to really teach each of these topics. And so you'll not only get chapters from the book, but what you'll also get are all the templates, including more that are not on the website, as well as six to eight minute videos for each of the 30 chapters of the book.
So we think this is a really good way where we're trying to take my, 20 years of experience and seeing organizations lose thousands to millions of dollars. And give you a way where you can just take this class and then bring those lessons learned. so if that's something that interests you, [00:44:00] please take a look at the website.
I think you'll love it.
G Mark Hardy: Yeah, you go to CISO Tradecraft dot com, look at courses, and then you'll see a description, some little samples, things like that. You can sign up as an individual, a team bundle, or if you've got an enterprise, you say, Hey, my whole group of people need to see that. Let us know. We'll help you out. Ross, I want to thank you very much for your insights and your time.
I want you back. I wanna go back and talk more about this because we're in the budgeting cycle. A lot of our listeners or watchers are in the budgeting cycle as well, and this is absolutely timely, meaningful stuff for our audience out there. If this has been good for you, let us know. Give us a thumbs up, a plus one.
Send it along and let us know out there on whatever format that you're listening to this podcast, so we know that we're reaching the right people. If you're not following us on LinkedIn, please do CISO Tradecraft has a tremendous amount of high signal, low noise information, as well as Mr. Ross Young.
He knew a great job of that as well. I do the best I can to post things when I can do But, thank you very much, Ross, for being on the show. this is your host, [00:45:00] G Mark Hardy. Until next time, stay safe out there.
