Cybersecurity has evolved from an IT project to a global concern, with The National Infrastructure Advisory Council warning of a catastrophic cyber-attack in the near future. Government and businesses alike are scrambling to piece together the cybersecurity puzzle, and as a result, executives are now responsible for addressing the security of their organization. In a study by IBM Security, cybersecurity is viewed as a top concern by 68% of CxOs. Clearly it’s top of mind — but when you’re competing for budget, how can you engage your top executives in your solution? Read on for five ways to gain executive-level support for building a cybersecurity program.
Breaches Resulting in Legislation
A major data breach per month is the new normal in 2018. According to the Breach Level Index, over 4 million records are stolen per day, which equated to 196,288 every hour, and over 3,271 every minute.
If you feel you are impervious to cybersecurity concerns because you don’t have coveted data or your organization is far too small for hackers and attackers to pay mind to, think again: 61 percent of small businesses say they’ve been the target of a cyber attack. And according to IBM’s 2018 Cost of a Data Breach Report, malicious and criminal attacks account for 48 percent of data breaches. 27 percent are due to negligent employees and contractors, and 25 percent originate from system glitches. But it’s not the breach itself that defines the fate of your organization; it’s your preparedness, security, and privacy posture.
Having a strong security posture plan and building a cybersecurity program means executive level support and buy-in. And at this moment, you have their attention. It’s up to your security and privacy team to develop and communicate a proper vision to share with executive leadership to gain support and garner trust. Here’s where you can start.
Gaining Executive-Level Support
1. Align your concerns with executive-level concerns. How does cybersecurity affect customer churn? Can it potentially affect revenue? How does your cybersecurity posture affect information security and compliance with government regulations? Make direct correlations with the big picture concerns of the business. This is also a good opportunity to break down silos in your organization and gain support by speaking the executive’s language. The only way to raze a silo is to create a unified vision. Take a human approach. Be practical and explicit about potential threats to the organization and your plan moving forward. Collaborate with security advocates in other departments, and use their point of view on security concerns.
2. Ask questions to get the executive to tell the story themselves. Steve Early from Novanta likes to start by asking something like, “Do you believe there’s even a remote chance somebody could walk out of here with information on a deal we’ve worked on that’s worth several million dollars?” Once they admit there is always that chance, ask them what they think the specific impact would be if that happened. “What it is, I make them say the number,” Steve said. “If I let them answer the question about the impact of a breach, they feel it and internalize it.”
3. Use stories and statistics to help move executives to awareness. Although C-suites and above tend to be informed, don’t assume that they know about every security concern. Use evidence that directly aligns with your business to communicate your message. “Every single day, it seems there’s another story about data theft, breaches, or another ransomware attack,” said Joe Stolz, Business Systems Manager for Midland IRA. “When I have a budget and buying discussion, I can bring up those stories about how many companies are getting hit and how much it costs companies in terms of dollars and reputation, and make a really good case for adding a security solution.”
4. Present a path forward with technology and a people-centric approach. 58 percent of cyber attacks are carried out by insiders. Make sure you are addressing security from the inside out. Present a path forward that involves both data protection and training, which may be a part of building a cybersecurity program. With a stronger workforce, team members will be an asset to your security posture, saving valuable time and resources for the executive team.
5. Forge genuine relationships in your quest. You may feel like a bother when it comes to capturing executive attention, but with persistence and genuine concern for the business, you can create trust between the c-suite team and yourself. With a solid relationship, building a cybersecurity program is more likely to become a success.
The Foundation of Your Cybersecurity Program
Every organization is different, so an impactful cybersecurity approach should be tailor-made. What’s synonymous with most organizations, however, is the need to protect sensitive data (i.e. customer, prospect, proprietary, employee information). Creating a strong data protection posture coupled with employee training will offer a strong foundation for your cybersecurity program.
Cybersecurity will continue to be an ongoing project for organizations as global threats continue to evolve. Executive level support and organizational vision will be paramount to the success of your program.