Executive buy in for cyber security
Introduction
Cybersecurity is a hot topic right now. There are all kinds of ways for hackers to steal your data and break into your systems, but you don't have to be an IT guru or a techie to know that it's important to have strong cyber security measures in place. You may not even know what those measures should look like or how they work, but what you do understand is that if you don't invest in cybersecurity now, there will be serious consequences down the road. So how do you convince executives and board members who aren't tech-savvy that this issue is worth their time? Here are some tips on getting buy-in from your executives:
Convincing the board and executives to invest in cybersecurity is difficult
Convincing executives to invest in cybersecurity is difficult. Executives have a lot on their plate and don’t want to waste time reading reports that they don’t understand. They don’t understand the risks of cyber security, how it will impact the company, or what to do about it.
You need to convince them that it's important, what they need to do, and why they should do it.
You need to convince them that it's important, what they need to do, and why they should do it.
- Cost:Do they have the budget? How much security is it going to cost? What are the risks of not implementing security? Is there an ROI (return on investment) for implementing cyber security? If so, how long will you have access to this data before someone else does? Do you have any third party providers that can help with compliance issues or training employees on cyber security best practices.
- Time: Are there any deadlines in place for when your company must get compliant or will be fined by the government if not compliant. This might be helpful if this happens closer than expected but can also be used as leverage later down the road if management starts dragging their feet again on getting everyone trained up on how best practice works when talking about topics like phishing scams and awareness campaigns against social engineering attacks where hackers try tricking users into giving away sensitive information such as passwords by pretending to be someone else within your organization such as a co-worker asking for help with something urgent sounding but really just trying
You have to ask yourself why they should care.
You have to ask yourself why they should care. If a cyber attack is not going to impact their bottom line, then it's probably not something you need to worry about. If your company is small and can't afford the resources for cyber security, that's also a reason not to worry about it—at least until you're bigger!
The most important question is: Is this threat going to tarnish my reputation? This can be anything from reducing my brand value, making me look more vulnerable than I want potential clients or investors thinking I am (or at least look), or causing me big reputational damage with customers who feel unsafe using my products and services.
Your job is not just to assess risk, but also to deliver it in a way that stops it is understood by stakeholders.
You need to be able to communicate the risk. You may have assessed it and determined that a particular threat is high, but you still need to explain it in a way that makes sense to your stakeholders. If you can’t do this, then your risk assessment will not be accepted or acted upon by them.
You also need to deliver the information they need to make decisions. The last thing anyone wants is for their executive team members to feel like they are being given more information than they can handle or use effectively in making decisions about how best to address cyber security risks within their business model and industry ecosystem.
If any of these challenges sound familiar, then take heart: there are steps we can all take together toward achieving our end goal of getting executives on board with cyber security!
Risk management starts with knowing what is most important for the business.
The first thing to do is determine what the risks are. What is the risk of being hacked? What is the risk of losing sensitive data? How much money are you spending on cyber security right now and how much more would it cost if something bad happened? Answering these questions will help you understand where your enterprise’s vulnerabilities are, so that you can put together a plan to address them.
You should also look at how much money is at stake when it comes to preventing these things from happening. If your company's reputation depends on protecting customer data and preventing breaches, then it makes sense for IT security to be one of their priorities (and for executives to get buy-in).
Make sure you understand the business as well as you understand your security stack.
The first step to a successful executive buy-in is understanding the business as well as you understand your security stack. A lot of times when we talk about security, we tend to think in terms of “what are my technical controls and how can I make them better?” But it's important not only to understand what those technical controls are but also why they're there and what their goals are.
It's important that you understand the business as well as you understand your security stack. It's also important to understand how they work together, because they often don't get along very well—especially in highly regulated industries like healthcare or financial services where there's an inherent tension between protecting sensitive data and maintaining operations critical for survival.
Communicate threats and vulnerabilities in terms of dollars.
When it comes to convincing executive leadership of the importance of investing in cyber security, you’re going to need some compelling statistics. You should be prepared to show how much it costs businesses when they experience a data breach or other incident.
Data breaches are getting more expensive than ever before: In 2018, the average cost per record exposed was $214 (up from $181 in 2017). The average cost of a data breach has also increased by $14 million over the past five years.
What’s more, these figures don’t include things like legal fees and reputational damage—costs that can really add up in situations where sensitive personal information is leaked or stolen.
Focus on how security ties into the rest of the business.
The most important thing to do is understand the business. You've got to know what's important to them, you've got to understand their goals and risks, and you need to make sure that your security stack is aligned with their business strategy. If the two aren't integrated, they're not going to be able to support each other effectively or efficiently.
Work with IT to get a handle on how long recovery from a disaster would take.
You should work with your IT department to get a handle on how long recovery from a disaster would take in your company. This should include all the details of what needs to be done and who needs to sign off on it, as well as how much time it will take. The more detail you can provide, the better. If there are processes involved that are outside of your scope of knowledge, make sure you talk with someone who knows them well enough so that when you’re asking for help or advice later on, they can give it confidently.
How much downtime can your business withstand?
When it comes to cyber security, you need to know how much downtime can your business withstand? The answer is likely that you have no idea and that’s why you should do some research.
If your business has ever been breached by a cyber criminal, then it’s likely one of two things:
- You had no plan in place for recovery or disaster recovery (DR).
- Or if there was a DR plan in place, it wasn’t tested properly.
Cybersecurity isn't just about preventing intrusions; it's about protecting your organization's entire infrastructure.
Cybersecurity isn’t just about preventing intrusions; it’s about protecting your organization's entire infrastructure.
In order to do this, you need to understand the business and how it works. What are its most important assets? How does it operate? What are its biggest risks? Once you know what those answers are, you can then create a plan that is tailored specifically for the needs of your organization.
It is important to keep in mind that cyber security has become a top priority for companies across all industries, but especially those in technology and finance where digital assets are often stored or transmitted over the internet.