Getting C-Level “buy-in” is the key to superior cybersecurity
Have you heard about the Golden Rule? i.e. The person with the gold, makes the rules! It’s an old saying. But, it’s also how many businesses operate.
Sure, there are a lot of operational departments in charge of specific areas. But, at the end of the day, it’s the C-Level executives – people like the CEO, COO and CFO – who approve budgets and sign the cheques.
That’s old news to sales, marketing or even HR departments, which have long lobbied hard for a bigger share of investment dollars. But, it’s a lesson that many IT professionals within companies have been slower to learn. Which may explain why so many companies remain vulnerable to cybercrime.
Tell them what’s going on
With the exception of CIOs and CISOs, most C-Level executives don’t have anything like a full understanding of the threat landscape. In fact, according to one recent survey, 34 percent of C-Level executives are never updated on security incidents.
That’s an odd state of affairs. Especially when you consider that 63 percent of respondents said their companies had been the victims of one or more advanced attacks in the past year.
This lack of knowledge may explain the relatively low level of security confidence among most C-Suite execs. Only 39 percent rated their ability to detect a cyber-attack as highly effective. Even fewer (30 percent) felt they were highly effective at actually preventing cyber-attacks.
It is clear that one of the first steps for any CISO interested in ensuring the support of their C-Level colleagues is to let them know what is going on. Once that is done, winning their support in the battle against cybercriminals becomes much easier.
Speak their language
Ordinary IT has its own cryptic language, and cybersecurity is even harder to understand. However, to communicate effectively, you need to use familiar phrases that resonate with C-Level executives. Things like “Business Value” and “R.O.I.”
Predicting a precise US$ return on a security investment is difficult. But, outlining the potential revenues from the opportunities that security spending can enable is easier. And it can be very effective in capturing attention.
For example, most CEOs probably aren’t very interested in how two-factor authentication works. But, they can be fascinated by its potential. Such as how it can increase customer confidence, boost the use of online services and cut overheads while reducing losses from fraudsters.
A risk vs rewards conversation is always far more effective in encouraging executives to think proactively about security than a constant stream of horror stories.
While it is increasingly important, cybersecurity can be an abstract concept for many C-Level executives.
Making it clear to executives that they are “personally” very likely to be targets – especially when working remotely or travelling – can help to focus the discussion.
Making friends makes a difference
The C-Suite is made up of individuals, all of whom will have different motivations, priorities and business objectives. Getting to know them as individuals can really help move the security conversation in the right direction.
A simple invitation to catch up over coffee can pay big dividends. Find out what they need. And then explain how better security can help deliver that and make them more successful.
Participating in top level management meetings is also an excellent opportunity to offer an update on security issues.
Whatever approach, or variety of approaches you decide to take, one thing is clear. Establishing personal relationships with individual executives is the key to securing C-Suite “buy-in” and improving the organisation’s security posture.
By: Barnaby Grosvenor
Head of Cyber Security Services, Adura Cyber Security
With more than 20 years' experience in the cyber risk and information security industry, Barnaby helps corporations in Asia develop holistic, tailored security programmes to drive greater business success.