Cisco Switzerland Technology Blog

Getting the security conversation started with your board

Monday, 23 April 2018

Speaking the same language as your top executives is essential when getting budget and support for security investments.

If you are a security professional, you are more likely to be worried about the operational side of security. C-levels, on the other hand, are more likely to look at security just like at any other investment. They will consider if the benefits of investing in it outweigh the risks of not investing.  They will also evaluate the long-term effects on company performance and make a decision based on data and evidence, above all else.

If your company has suffered a major cyber attack, your executives are more likely to have first-hand experience on the financial losses that come with such unfortunate events. However, if you are one of the lucky ones that haven’t had to face public scrutiny following a breach, you may need to demonstrate to your board why they should prioritise security before the worst happens.

Here are a few tips we collected from CISOs on how they are presenting convincing data to their leaders that helps secure budget:

Talk to your board about GDPR compliance

The General Data Protection Regulation (GDPR) is a hot topic right now, which is likely to be on the radar of your top executives. Use GDPR to your benefit. They are probably already aware of the potential fines, so you can jump straight into what GDPR means for your organisation and your data. There is a lot of confusion around GDPR, so help them understand the implications to your company and what investment you require to improve data privacy and security.

Present the risk factors specific to your company

Help your executives understand the security threats that could affect your particular organisation. Don’t spend too much time presenting generic trends and statistics. Instead, help them see the connection between those security trends and the challenges that are very specific to your business and industry. The more context you can provide, the more relevant it will be to your board.

For example, you can talk to them about your company’s biggest source of revenue and give them examples of how security threats such as ransomware could pose a threat. If your company keeps sensitive data such as financial records, you could you show examples of the legal implications and fines your organisation could incur if such data was publicly released.

Show them how an attack works, how easy it can be to compromise security. Give them real examples of the issues you are already facing as well as the risks and the long-term effects that those problems could have.

Quantify everything

Executives like their metrics and numbers. It is, therefore, important that you align your security priorities to your company’s goals and deadlines. Acknowledge their business and IT priorities and show how security will help them achieve it.

Show also the flip side: how a security incident could put their plans at risk. For example, if you are you about to launch a new product, what is the potential damage to your business of having that intellectual property made public or destroyed?

In fact, it doesn’t need to be a hypothetical issue. If you can quantify how existing security issues are already costing your business, then that makes for an even better argument.

Repeat, repeat, repeat

It is unlikely that you will get everything you need from a one-off conversation. Make your communication simple and frequent. Establish regular catch-ups and report often on relevant metrics. Don’t be afraid to repeat yourself and try out a few different angles until the message gets across and you secure the funds and support you need.

Leave a comment