ANS Blog

Talking to Management about Better Cybersecurity

Small Business Security

Talking to Management about Better Cybersecurity

News of cyberattacks continue to dominate the headlines; and there’s no reprieve in sight. Despite this fact, many IT professionals still struggle to get their message across during conversations with non-technical company leaders at the executive level. But for small and mid-sized organizations, as threats evolve and become more dangerous, improving these conversations is an absolute necessity.

A key factor for IT professionals who are serious about improving their organization’s security posture, is be the ability to convert technical concepts into the language of business risk. By helping executives understand the impact of potential attacks, IT professionals can break down misconceptions and start getting their message heard.

Why Are Cybersecurity Conversations Such a Challenge?

The tendency toward organizational inertia. For all sorts of reasons, too many executives are comfortable with their current cybersecurity posture; some very common attitudes that are often adopted are, “it can’t happen here” or that “we’re too small to be a target.”

Lack of technical knowledge. Unless an organization is large enough to have a Chief Information Officer (CIO), or Chief Information Security Officer (CISO), it’s highly unlikely that anyone in the upper levels of management will have a technical background in security; or even a technical background.

Different “languages.” Conversations about cybersecurity are difficult because fundamentally, the two groups usually don’t speak the same language when it comes to risk. IT people see risk in terms of the threats to their assets and network, while executives typically see risk in terms of the financial costs to the business.

Compliance confusion. Executives often confuse IT compliance with IT security, when compliance should be taken as only the bare minimum standard. The truth is, compliance with regulations such as PCI or HIPAA doesn’t mean that an organization is secure against cyber threats. For a detailed discussion on this topic see our blog article, Why Being Compliant Is Not the Same as Being Secure.

In order to successfully convince executives and usher in needed changes, IT professionals need to be able to addresses each of these.

How Can IT Professionals Get Management Buy-In?

Being able to successfully convey the importance of investing in cybersecurity requires a big shift in the way IT Professionals present the information.

Focus on sound investment strategy. It’s true; new cybersecurity purchases will tend to always be viewed as an additional operating expense. But rather than allowing the conversation to focus solely on how much it’s going to cost the organization, IT Professionals should drive the focus of management on whether the tools are a sound investment. Cybersecurity has to show the value that it brings an organization. Security programs can’t be carried just for the sake of security. They have to operate within the context of the organization’s overall business objectives and help the company meet those bigger goals.

Don’t be afraid to address cost. Even though there are ways to avoid making it the sole deciding factor, the ability to address the issue of cost is important. One way to do this is being able to show that spending the money is less of a financial risk than not addressing the vulnerabilities the purchase is designed to tackle. This is especially true when discussing budgets with CFOs (or equivalents), who relate everything to money and return on investment. If you don’t have a solid view of where the organization’s biggest operational, legal and financial risks lie, befriend someone who can help educate you. Note: this is an easier conversation to have if your organization is subject to regulatory compliance, since violations often result in legal action or fines. 

Focus on risk. Addressing risk is critical when talking to C-levels and other top management. Risk mitigation is a key link between an organization’s cybersecurity and its business units and operations. Top management want to reduce exposure and liability and IT Professionals are the folks who can accomplish this task. The risks and costs of a data breach or malware infection are twofold. The immediate, emergency-related ones associated with responding and recovering, plus the estimated loss of revenue during this same timeframe. But there’s also the long-term damage to your organization’s reputation as well as legal actions and settlements that could result.

Make it personal. The most effective lines of persuasion are those that hit closest to home. Most of us are overly-saturated with the continual barrage of news about massive cyberattacks happening all over the world; they’re all scary, but still abstract. What’s really scary is showing how a current flaw with the company’s security procedures puts information, and employee careers, at risk. No company executive wants to be embarrassed by a news report or, worse yet, a call from a client or supplier, for something like a data breach or hacked email or social media account.

Positively connect cybersecurity to revenue and productivity. Let’s face it; IT and those responsible for security can often be perceived as the “department of no.” Even worse, they may be seen as the “killers of innovation and, in turn, employee efficiency!” The truth is that innovation and efficiency can be the things that give an organization an edge over its competitors. So, anything proposed that’s viewed as hurting either of them, is going to be viewed as a risk to hurting revenue. This means IT Professionals have to shift the perception from “disabler” to “enabler.” This is definitely not an overnight process. But it can be built over time by consciously presenting ideas and solutions in such a way that they positively connect to, and support, revenue and productivity. It can start with creating a habit (or formal process) of regularly talking to colleagues about what they are working on. This can better the chances of incorporating the right level of security into their projects, from the get-go. Another habit or process should be checking in with system end users; the ones who often feel the effects of security measures on their productivity. This is often a tough conversation because implementing sound security practices, (like multi-factor authentication for example) often adds another step that slows people down. In these cases, be ready to talk about the tradeoff between tolerable levels of inconvenience, and how “easier access for everyone” includes cybercriminals.

Positively connect cybersecurity to client satisfaction. Again, here’s another instance where it can often seem like there are competing forces at work within an organization—with IT being viewed as the “killjoys.” This time, the struggle lies between the departments responsible for creating the services and/or products customers use, and the folks whose job it is to ensure those products and services are being delivered as securely as possible. The challenge is to keep the customer service ecosystem secure without impeding systems performance and negatively affecting the customer experience. Once again, it’s helpful to be at the forefront of new product and service offerings, and to be able to positively position new cyber spending in a way that translates into a better/more secure customer experience. Remember, the average executive isn’t going to understand when you try to make your case using technical jargon, but they will care about a non-technical explanation of how security fits into and improves this area.

Recruit a Champion at the C-level.  Without a top-level exec or manager in your corner, it will always be a lot harder to convince executives of the need for new cybersecurity solutions. Key figures like the CEO, CFO, or COO (or their managerial equivalent) are the most important to win over. To do this, IT professionals need to make their arguments using the language of business and financial risk: meaning the loss of revenue, decreased productivity, brand damage, and lawsuits that can result from a cyberattack.

Invest time in education and engagement. It’s often up to IT Professionals to help executives become more educated and engaged when it comes to cybersecurity issues. More and more, top execs need to be aware that cybersecurity is not just “an IT issue.” Becoming savvier about cyber risks and solutions (at least on a basic level) is now a necessity—as is understanding the role of top management in fostering an organization-wide culture of security. This includes having the information necessary to ensure the right systems, processes and people are in place to keep pace with changes. When educating executives, resist the temptation to talk about super technical details. They DON’T need to know about server configurations or the nuances of the organization’s patch management strategy. But they DO need to know if the company can muster enough server resources to prevent a denial of service attack or has a Windows patch strategy that reduces the ability of attackers to use known exploits.

We can help

IT Professionals know that when it comes to cybersecurity, the rapid changes occurring, mean cyberattacks are no longer a question of “if”, but of when.” And it’s often up to them to successfully communicate the value of security investments in order to improve their security posture. IT and cybersecurity are no longer purely technological issues.  To be effective in their positions, IT Professionals now have to be able to speak the language of business to get buy-in for new investments by top decision makers. Being able to effectively move cybersecurity discussions from technical issues, to business issues that require continual investment, is ultimately the key to success.

Need some help talking to the C-Suite from Advanced Network Systems? Contact us -- it’s what we do best.