How to Work with the C-Suite to Ensure Proper Cybersecurity Resourcing
As the United States (and the world) experiences rising costs in food, gas, and housing; the stock market remains volatile; and major banks such as Citigroup raise global recession concerns, companies are watching their balance sheets closely. At the same time, organizations face the potential of new state-sponsored cyber threats triggered by Russia’s invasion of Ukraine on top of constant threats from other bad actors.
This is a challenging environment for cybersecurity professionals to try to gain budgetary traction with their organization’s C-suite —a perpetual hard sell even in good times. CISOs have a strong case for deserving these resources. They also need to lay it out in ways C-suite executives can get behind. Here are some suggested talking points.
1. Show the dollars and cents costs of an actual cyberattack.
It can be hard to show how much money your company can save by spending on cyberprevention. But it’s not hard to show real amounts that other companies spent dealing with actual incidents. IBM reported the average cost of a data breach rose from $3.86 million to $4.24 million last year — the highest cost seen in IBM’s 17 years of putting together this report. There’s a lot that goes into this price tag: the expense of rebuilding the company network and recovering vital records and data; hiring third parties to investigate the incident; engaging a public relations firm to handle crisis communications if the company does not have these onsite resources; and paying regulatory fines charged for failure to comply with security regulations. There’s also loss of revenue from service disruption and losing business as a result of reputational damage. Many smaller companies could even go out of business as a result of a cyberattack. Here are six examples of firms that permanently closed after cyberattacks.
2. Illustrate how cyber risks are tied to business outcomes
The best way to get the C-suite’s attention is to use an outcome-driven approach to show how to manage cyber risks that pose the biggest risk to the company’s overall health. Each C-level executive may have different business and security concerns, such as costs, performance, and legal liability, and a different risk appetite related to their concerns. So after defining the company’s most important processes and business outcomes, identify how technology interacts with them and determine the best cybersecurity tools that can protect them. For example, if C-suite leaders identify that a ransomware attack is their biggest concern, then it will be easier to decide to put resources toward backup and restoration technology, employee security training, and business continuity initiatives.
3. Bring C-suite leaders into the risk assessment process
Most C-level executives are accustomed to making overall business decisions based on risk. CISOs should invite C-suite leaders to take a look under the hood to demystify the process and show what factors go into the cybersecurity spending ask. For example, give them demos of firewalls and vulnerability scans at work; ask pen testers to describe their craft; walk them through the steps of incident response; and involve them in a phishing exercise. When those who make budget decisions better understand what risks and probabilities are involved in cyberprevention and management, they are more likely to fund them.
4. Focus on people, process and technology
IT leaders should ask for financial resources for areas they can easily impact—people, process and technology.
People. Implement effective security awareness training programs for every employee—even for those in the C-suite, who can be the most prominent targets of phishing attacks, called whaling.
Process. It’s important to have policies and procedures in place that emphasize cybersecurity through best practices such as the National Institute of Standards and Technology Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, and include incidence response and contingency planning.
Technology. Popular and effective cybersecurity technology includes end-to-end analytics tools that incorporate artificial intelligence and machine learning; intrusion detection and prevention systems; network access control; and next generation firewalls.
5. Build strong relationships with members of the C-suite
CISOs should try to break down organizational silos with those in the C-suite so they understand the importance of effective cybersecurity to the business on every level, all year long. Regularly discussing the factors described in 1 through 4 with individual C- suite executives instead of waiting for the annual budgetary discussions to present to the whole team can help lead to this understanding. And crucially, gain financial support for the cybersecurity mission.
For more guidance on the importance of incorporating effective risk management in business decisions, TalaTek’s experts are happy to discuss. Email us at: info@talatek.com.