Sometimes it takes a big hit for everybody to get on board with cybersecurity initiatives.
60% of small businesses who suffer a cybersecurity breach are forced to close. Which means, for you especially, prevention is better than cure.
Help your board understand the security threats that could affect your particular organisation. Don’t spend too much time presenting generic trends and statistics. Instead, help them see the connection between those security trends and the challenges that are very specific to your business and industry. The more context you can provide, the more relevant it will be to your board.
For example, you can talk to them about your company’s biggest source of revenue and give them examples of how security threats such as ransomware could pose a threat. If your company keeps sensitive data such as financial records, you could you show examples of the legal implications and fines your organisation could incur if such data was publicly released.
Show them how an attack works, how easy it can be to compromise security. Give them real examples of the issues you are already facing as well as the risks and the long-term effects that those problems could have.
Executives like their metrics and numbers. It is, therefore, important that you align your security priorities to your company’s goals and deadlines. Acknowledge their business and IT priorities and show how security will help them achieve it.
Show also the flip side: how a security incident could put their plans at risk. For example, if you are about to launch a new product, what is the potential damage to your business of having that intellectual property made public or destroyed?
In fact, it doesn’t need to be a hypothetical issue. If you can quantify how existing security issues are already costing your business, then that makes for an even better argument.
It is unlikely that you will get everything you need from a one-off conversation. Make your communication simple and frequent. Establish regular catch-ups and report often on relevant metrics. Don’t be afraid to repeat yourself and try out a few different angles until the message gets across and you secure the funds and support you need.
In many cases, security professionals struggle to speak the same language as their board of executives and help them understand why they need to prioritise investment in security. When a public cyber attack happens and executives see the multidimensional damage it causes, then those reasons to invest become crystal clear. Conversations (and changes) happen at a much faster pace when everyone understands the issue.
This is where laws such as the General Data Protection Regulation (GDPR), which took effect in May 2018, can help improve security.
Companies that are already investing in security may not have a lot to worry about, as they are probably well on the way to being compliant (on the security side of GDPR). On the other hand, for those organisations that have been struggling to secure funds to invest, GDPR offers a great opportunity to get security professionals and top leaders on the same page. New legislations such as this are forcing minimum standards on companies, which will help support greater technology innovation in the future.
Data privacy and IT security are not only regulatory requirements, but also customer demands. It is becoming more frequent for companies to get questions from their customers about how they are handling their data. There is a relationship of trust, an assumption that the company receiving their data will take good care of it. The law is just there to ensure that companies are doing all they can to honour that trust.