For many IT professionals, attempting to promote the urgency of security preparedness to senior leadership feels a bit like screaming in a soundproof booth. The IT team at Target, for example, tried sounding the alarm bells to the C-suite to no avail – and we all know what happened next.
No one wants to be the next Target or Sony, a lesson in what not to do. But even with a weekly barrage of headlines highlighting the latest cyber-attack victim, the overall attitude towards investing in cybersecurity seems to be a resounding shoulder shrug.
That sentiment was reflected in RSA’s latest Global Breach Readiness Survey, which found a majority of firms to be unprepared in preventing or mitigating advanced cyber-threats. The study found that 30% didn’t have a formal incident response plan in place, and of those that did, 57% hadn’t updated or reviewed it. And despite the barrage of high-profile breaches in the news, PwC’s State of Security 2015 survey found that only 42% of respondents said their board actively participates in the overall security strategy.
IT managers understand how important a strong cybersecurity defense is to an organization, but to the C-suite, it’s just one of a host of business priorities they have to balance. Often the C-suite won’t act until they feel the very real consequences of lax security – but by then it’s usually too late.
Immerse Yourself in the Business Strategy
The challenge is speaking to the C-suite in a way they can understand and that encourages them to take action. Senior management will trust people who understand the short, mid and long-term objectives of the organization. Interview department managers to find out what network resources are required to meet their objectives; what failures would be particularly damaging from a reputational point of view?
When you’re done with this step you should have a feel for the areas of cybersecurity exposure that you want to address and what assets are important to keep the business running.
"Senior management will trust people who understand the short, mid and long-term objectives of the organization"
Once you believe you’ve identified what types of risks your company faces if critical systems are compromised, it’s time for an independent security audit to verify your beliefs. The basic goal is to confirm exposures and to identify in more detail the areas of vulnerability. What are the hard costs (direct costs like hiring security experts, litigation or revenue losses) and soft costs (like reputation or time spent by internal staff) if critical systems were hacked?
This is the language the C-suite understands: time and money. Weigh those costs against the probability that something bad will happen. You’ll want to address the high impact and higher probability areas first; this might seem obvious, but you’d be surprised how often this doesn’t happen.
A Clear Sell, Ready Whenever
Now that you have thoroughly identified and verified where the issues are, the next step is determining what remediation consists of. Some problems are harder and more expensive to fix than others and at this point you may need experts to help you in this process.
When you present risks, do so in terms that are specific to your business and clearly identify the potential loss and the likelihood it could happen. Avoid jargon and don’t get too technical. If you don’t succeed, keep trying and make sure you document the conversation you had with the decision-maker.
But even after you’ve done all the hard work, made a strong presentation, and (hopefully) secured the budget to implement a modern, dynamic security system that addresses key concerns, the job is far from over. Keep your security audit reports current, so you’re ready to give updates on your progress when you’re called up, and be sure to run free analysis tools and follow up with the major threat areas on a regular basis.
Hackers know companies, especially small to mid-sized enterprises, struggle with the cost and complexity of properly securing their networks, making them prime targets. Organizations need to be proactive. IT security professionals have a responsibility to walk senior management through the current state of security, explain the risks using business impact terms, and execute corrective measures as soon as possible.
About the Author
Richard Barber has served in several executive-level finance roles including CFO for MOD Systems, a privately owned digital media software company. Barber has also served as an independent financial consultant to high-technology companies and held various positions, the last of which was Senior Manager, at KPMG LLP