Despite data breaches hitting the headlines most days, many security professionals struggle to sign off on the budgets they need to protect their organizations.
CISOs and CIOs can sometimes feel like they are speaking another language in the boardroom. Their executives are results-driven, focused on quarterly revenues and fiscal results. To them, security might come across as an ‘unprofitable investment’ – something that takes away from the bottom line.
Of course, security professionals know that, in the long term, investing now is better than paying for a breach later. Security should be considered a strategic, ongoing investment. It is a risk management concern that needs careful attention.
As the saying goes, an ounce of prevention is worth a pound of cure. Unfortunately, though, this isn’t coming across in most boardroom conversations.
So, what’s a security professional to do? Well, this blog is designed to help you overcome the challenges of talking about cyber security in the boardroom. Read on, take notes and enter into your next boardroom meeting with a new wave of confidence.
Common myths that prevent executive investment
As the saying goes, “You can’t really understand another person’s experience until you’ve walked a mile in his shoes.”
When it comes to selling security to your executive team, you need to think about your leaders’ points of view. Being an executive is no doubt tough; there’s a lot of pressure to cut costs, boost profits and meet stakeholder expectations.
It’s not that your executives don’t care about security; it’s just that they don’t necessarily understand it in the way you do.
Here are some of the common reasons why executives might decline your investment proposals from the off-set:
- We already conduct vulnerability scans and penetration tests
Some executives think that penetration testing is a silver bullet against cyber attacks. They don’t understand that the results of a penetration test will often show vulnerabilities that need remediating (aka investment).
- We invested in security solutions last year
Some leaders consider security to be a tick-box exercise. Once they’ve invested, they believe the case to be closed and don’t want to open it again.
- We are compliant with regulations and security standards
Compliance standards like HIPAA and GDPR, and standards like ISO 27001, can offer a point-in-time validation of a company’s security standards. Often, executives don’t realize that security requirements will also change as their company grows and shifts.
- We’re too small for cybercriminals to be interested
While leaders might like to hope their companies can fly under the radar, 1 in 4 data breaches in the US in 2020 involved small businesses, according to a study from Verizon. These businesses were either directly targeted because they were considered low hanging fruit or got caught up in supply chain attacks as collateral damage.
- We have anti-virus software
Anti-virus software is an integral part of cyber security — but it’s just that: a part. A successful cyber security plan is much more comprehensive than just anti-virus software.
- Security is a cost-drain, and it takes away from revenue
As we know, the fallout of a data breach can be catastrophic. Lost customers, downtime, compliance fines and reputational damage can cause a business to go bankrupt. But many leaders only see the upfront cost when you show them a cybersecurity investment plan, rather than seeing the bigger picture.
How to go into the boardroom with confidence
Okay, now you have a solid idea of what goes through the executive team’s mind when you tell them about a new cybersecurity investment. It’s not that they don’t want to invest; it’s just that they might not see the need.
It’s your job to convince them that investing in cybersecurity should be a strategic priority. You need to bear a few critical things in mind to do this.
Go into the meeting armed with data and a rough talk track that you’ve rehearsed through. Your presentation should be stats-focused and simple to understand, highlighting the critical threats to the business and KPIs that can be used to measure and address them.
Know your audience
Jargon, technical language and IT-focused concerns will not persuade your leaders that cybersecurity is essential. It would help if you spoke in their language. Don’t focus on technical language when talking about threats and mitigations. Instead, speak about risks concerning the business. Again, put yourself in your executives’ shoes and ask yourself: “how can I make them care about this project?”
Most likely, you’ll want to think about the financial implications of the risks you’re currently exposed to. For example, say you’re pitching for some cloud-based DLP software, your intro could go something like this:
“Half of our workforce is working from home, using applications like Slack and Teams to communicate. Now they’re outside the perimeter, it’s harder than ever for the IT team to keep track of where sensitive data is, who it’s being shared with and why. Our intellectual property, and data that falls under GDPR and CCPA compliance, are at risk. This is a similar vulnerability to the Yahoo breach of 2013. We must invest in cloud-based DLP software immediately.”
Aim for Security-by-Design
As businesses digitally transform, security shouldn’t be an afterthought. It would be best if you attempted to liaise with other departments as they embark on innovation initiatives and bundle in security from the outset. In this way, you can move security from being a blocker of innovation to an enabler, showing the board that you are helping your company move forward safely and securely.
Talk about financial risk
Abstract risk ratings of high, medium and low aren’t going to compel your leaders to invest in cyber security software. Instead, you should use historical data to show how an investment – or lack thereof – could financially impact the business. In other words, motivate your leaders to invest by offering them the long-term financial implications of the solution you need.
Lead and teach
Cyber security is another language to your board members – but you share something in common: you want to keep your organization safe and profitable. It can be helpful to go into the boardroom with a mindset of “I am going to educate my peers”.
You have valuable advice and insights to share. These can be used to improve the resiliency of the organization. So, help your board understand how cyber security and data breaches impact the operational effectiveness of the business and show them how investing in security can help them govern their company better.
Ultimately, you must remember that you are one of many people vying for the executive team’s time. They will receive requests for any number of initiatives and projects each week. To make yourself stand out, you need to make your presentation compelling and relevant. Show your leaders that cybersecurity is a worthwhile investment by putting it in the context of the business. By doing so, you’ll put yourself in much better stead to gain proactive buy-in for your cyber security needs.