How to Win Cybersecurity Buy-in From the Board
Raymond Evans, Founder & Penetration Tester, CyDefe Labs
Knowledge, fear, and a little bit of manipulation. These three things are how I win buy-in from the board. They may sound a little drastic, but let me explain further. Knowledge of both the challenge and the board members will help you inform them properly: fear will allow the board to respond appropriately, and manipulation will help you direct their response appropriately in order to get the solution you desire. I’m now going to dive deeper into each of these three techniques.
Knowledge
When you are trying to win approval from the board, you need the board members to be informed accordingly. That means you need to know your audience. Don’t assume the board knows as much as you do. Do not present the board with technical details about a problem. Are your servers vulnerable to Heartbleed? If so, inform them about how Heartbleed can affect them and what is needed to be done to prevent the vulnerability. Do not tell the board “Here is the code for the Heartbleed vulnerability /* Read type and payload length first */ hbtype = *p ; n2s(p, payload); pl = p;.” You will quickly lose their attention and see their eyes glaze over.
Fear
The next thing you need in order to attain the board’s approval is a bit of fear. Avoid ‘world burning, sell all your stocks and run for the hills’ kind of fear. Use facts to adjust the proportionality of the fear properly. Impose upon them how dire the situation can become if appropriate actions aren’t taken, and use real world examples to justify your requests. Individuals tend to act differently when they’ve observed how others have been impacted. Use headlines from reputable news sources when presenting information. A board member is more likely to be impacted by a New York Times article than a personal blog, for example. Remember to also bring a list of facts with you to any kind of approval meeting. If you are well informed of the situation, you can either dispel any unnecessary fear and misinformation, or you can inform them how much impact a situation can truly have.
Manipulation
The last thing that can help you get buy-in from a board is a little bit of manipulation. Never present the board with a single solution – always bring choices. I tend to bring two real choices and one extravagant choice. The extravagant choice will almost always get thrown out the window as soon as the members see it. After the initial shock has hit the board, they will naturally feel relieved to see the more reasonable options. Remember the biggest blockade to any solutions you present will always be monetary. Home-grown solutions will almost always win board approval, but if home-grown isn’t an option, the cheapest will most likely be chosen, so compile that wish list wisely.
These techniques may not work for everyone. In my experience, however, a combination of knowledge, fear, and a little bit of manipulation are the way to go.
Chris Diogenous, Chief Commercial Officer, London Digital Security Centre
How to win cybersecurity buy-in is the million-dollar question. We engage with a broad cross-section of small and medium enterprises, from a five employee company to a 240-employee hedge fund, and unfortunately winning buy-in from the board can be an uphill struggle.
In the first place, cybersecurity has to be on their radar. Too many businesses see it as an IT issue, an unnecessary cost, or don’t quite understand the lexicon and therefore bury their heads in the sand.
We, as collective cybersecurity experts, need to stop talking about ‘waterhole attacks’ or ‘bite and switch’ and instead focus on the business risk. Cybersecurity needs to be communicated as a business risk, not an IT issue. By framing it this way, business leaders can understand it far easier. Governance, risk and compliance are processes which board members understand and have used time and time again.
The constant news of cyber-breaches or technology flaws which leave key digital assets vulnerable help raise cybersecurity awareness to the board. However, do not fall into the trap of overselling the risks and, therefore, how great your solution is. Equally, don’t make sweeping statements such as “we are the only company which can solve these challenges.” Casting aside the moral aspects of that approach, it is counter-productive and will not help to drive the security agenda amongst the board, nor will it help them see you as the preferred or trusted partner.
The forthcoming GDPR is a hot topic right now, which is a great opportunity to communicate cyber-risk to board members. Messages around cybersecurity should not change because GDPR is arriving, however, it does hold significant risk, which will undoubtedly help to focus minds.
When we talk to businesses leaders or owners, it needs to come from a business perspective, taking into consideration the people and process, not just a technology angle. The board has to make hard-nosed decisions on all types of investments, so why should they invest in cybersecurity? Help them to understand the risks and the impact on their overall strategy and how they can mitigate against those risks, but be clear, concise and highlight the benefits of good cybersecurity.
We all know that the potential financial, reputational and regulatory loses can bankrupt a business, and there are plenty of examples out there, but start slowly. Ensure the board understands the risks, break it down, start small and get the basics right so that the board can see the benefits before you ask for significant investment.
Finally, if you have a champion in the organization who really understands the challenges, work with them to frame the conversation to the rest of the board – they will understand the personalities and what makes them sit up and listen far better than you ever could.
Andrew Barratt, Managing Director, Coalfire
Getting board-level buy-in and support is often seen as the Holy Grail for cybersecurity projects. The board controls both the purse strings and the strategic direction, so being able to engage with, influence and inform them is a must for any aspiring CISO or head of information security.
The key is to really understand the board’s role and drivers. The board is there to govern an organization, set strategy and quite often report key business metrics to the shareholders and stakeholders.
While the knowledge and expertise in the boardroom might vary between organizations, the executive usually covers the core bases: finance, operations, HR and sales. Some organizations are starting to position a CISO on the board, or at least having one that reports in to the board.
If you don’t have a CISO, however, or if you are wondering how to pitch a security initiative to the board, it’s important to understand what they care about most. As a security professional, you need to show you understand their problem and can either attach yourself to it or show that you are part of the solution.
Take three big board metrics: revenue, cost and operating risks. Your initial tactic might be to position everything as a risk mitigation to the COO. You’ll also need to understand how your initiative affects those other big metrics too.
Is your security initiative something that can help increase revenue? Do you have customers who are asking to see xyz security things as part of the service or an audit? Does not having it mean that customers or business partners may not renew business?
If so, this is now a revenue risk. Don’t focus purely on risk reduction. If this issue supports revenue, or enables the company to protect revenue, then demonstrate this to your stakeholders. This will usually be the C-level sales person and your chief financial officer.
With them and the COO on board in advance, you immediately have three supporters whose business challenge you are attached to before you even pitch to the executive.
The same approach works for others as well. Can you reduce costs by outsourcing some security solutions? Or is the board strategically looking to outsource? Knowing the strategy means you build your security initiatives to be aligned with the board’s business strategy.
Taking this approach means that simply by understanding those key drivers, you will easily overcome board hurdles without throwing lots of doom and gloom about security vulnerabilities at them.
You’ll be talking their language. Most C-suite executives will switch off if you just throw scary vulnerability stats at them. They know the business isn’t secure, (or if they don't, they should). What they want to know is that you can respond well to security challenges and support the board metrics – revenue, cost and risk.
When you can show you’re giving a return against these metrics, you are most likely to win discretionary budget. They're not just investing in cybersecurity, they’re investing in the business.