Posted On: August 18, 2020

How to Get Buy-In for IT Security

Learn how you can create a culture of cybersecurity. Find out why it’s critical to have IT security conversations before an attack happens.

Many business leaders aren’t fully aware of how IT security can impact their operations and bottom line. To get buy-in for your cybersecurity initiatives, you must show the financial impact.

Leadership teams often have a false sense of security. They think: “it won’t happen to us” or “only the most sophisticated hackers can breach our defenses.”

However, almost 80% of IT decision-makers said that they had experienced at least one incident over the past 12 months that was so severe it required a corporate level or board of directors meeting after.

Many of these cybersecurity attacks occurred as a result of basic security vulnerabilities that made it easy for cybercriminals to stage an attack. For example, hackers who lack technical know-how can find someone’s login information or purchase stolen credentials. Once they have this information, they can extract data from your network.

Just because you have a security product that is in the top right of a Gartner Magic Quadrant doesn’t mean you are safe. That is a false sense of security. Make sure you keep your tools tuned and you stay up to date with the latest best practices. You don’t want to say: “I didn’t know this security tool was running in the background.”

Don’t set it and forget it. That will result in big consequences.

Since every organization is at risk, it’s vital to have cybersecurity conversations before an attack instead of waiting until after one occurs. Your company, especially your board of directors, must fully understand your risks and the steps you can take to avoid a breach.

How to Develop a Culture of IT Security

There are three main ways you can create a culture of IT security.

  1. Show the consequences in hard numbers

Many leadership teams think cybersecurity is something the chief information officer (CIO) or chief information security officer (CISO) should handle. Only 36% of IT leaders said that other executives see cybersecurity as a strategic priority, which impacts their investment in technology and personnel.

However, the entire company owns the risk and will face the consequences in the event of a data breach. For example, losing customers’ trust after their data is compromised impacts the entire business—not just IT.

This makes cybersecurity a business issue—not just a technical problem.

If you want to get buy-in for your cybersecurity initiatives, you must explain its business impacts. Show the board how ignoring IT security will impact your bottom line. If you’ve tracked any previous attacks, discuss how they originated, which areas of the business they affected, and what they cost you.

In addition to outlining the hard expenses, such as legal fees and technical mitigation, be sure to discuss the costs of brand damage and other intangibles.

Your board may not be aware of the frequency, scope, and financial impact of a data breach. Showing them real numbers can motivate them to invest more in your cybersecurity initiatives. In fact, 68% of IT leaders said their boards of directors are not briefed on what their organizations are doing to prevent or mitigate the consequences of a cyberattack.

  1. Build a risk profile

In the past, corporate boards would rely on management to mitigate risks. After the 2008 financial crisis, boards became more accountable for preserving a company’s bottom line.

An IT security risk profile can help your leadership team stay informed and accountable When you create a risk profile, be sure to address the following areas:

    • IT infrastructure, including hardware, software, mobile devices, and Internet of Things (IoT) devices
    • Enterprise resource planning (ERP) system risks, such as unplanned downtime that leads to productivity and financial damage
    • Connections to your partners, vendors, and customers that may expose sensitive data
    • Privacy risks and potential regulatory violations that may lead to hefty fines
    • People’s actions and awareness when interacting with systems
    • Too many definitions of what risk means

When you look at each item, give it a security score that you based on industry best practices and data. Then, rank it in terms order of priority so that you know which items to address first. Present this information to your board in a visual manner, such as with dashboards. This will help others see your risks and quickly assess your most vulnerable areas.

Then, as you take steps to improve your security posture, you can show the board how your dashboards compare quarterly, at a minimum face to face, and when you are initially rolling out your IT security program, it should be a monthly communications with your board of directors.

  1. Speak their language

Most business leaders don’t get excited about the latest security technology and best practices. If you focus your presentation on the technical aspects of IT security, leadership may tune out. Instead, they want to know answers to the following questions:

    • What are the cybersecurity problems?
    • How will those problems impact the company in financial terms?
    • What types of actions are needed to minimize risks from these problems?
    • How much does it cost to fix the problems?

Addressing these topics will give your leadership team the information they need to make informed decisions. After you share this information, the board can decide if they want to accept your current IT security risks or take steps to mitigate them.

Keep the Cybersecurity Conversation Going

The IT security conversation isn’t over once you get buy-in. Leadership will need regular updates on new risks, concerns, and regulations. Keep the board of directors informed on how your efforts are impacting the business and your bottom line.

Just saying the right thing to do is never enough.

Business leaders are always looking for return on investment, which includes not just tools but as best practices. To learn more about protecting yourself from today’s cybersecurity, read The Ultimate Guide to Enterprise IT Security. You can also contact us today to discover how we help you with your security posture.