By Gerry Grant, Chief Security Officer.
If you’re feeling under pressure to address a growing number of cyber security threats on a budget that hasn’t grown exponentially with these risks, then you’re not alone.
Increasingly, senior management and the board are asking questions about cyber security and looking for reassurance that company information and networks are secure. However, it is still common for IT and Security departments to feel like there is too little investment to ensure that things are done properly and that they can legitimately answer these questions positively.
At a recent cyber security event we hosted, this recurring issue was raised. How do you quantify the risk of attack? And can you put a monetary value on it? How do we convince a non-technical board?
So how does an IT department get sufficient buy in from the board and an agreement on the appropriate investment required to protect the business?
1. Keep it simple
Often the board don’t fully understand the IT infrastructure or why the IT team is asking for additional investment. When pitching a new security product or service try to lose the technical terms and instead outline the benefits to the business. Explain and demonstrate how this will reduce risk.
The board might not know what DDoS (Distributed Denial of Service) is, but they will understand that an attack on the website could take the online store offline for days during the crucial sales period.
2. Adopt a quantifiable risk-based approach
The main purpose of the board is to ensure the profitability and future of the organisation. Speak to them in terms of risk. But be brave enough to put a value on this. Focus first on high-level risks and how these can impact the operation of the business. How long could the business survive with no IT? A day? A week? A month? How much revenue would they lose if all IT; emails, phones, access to shared drives went down even for a day? Demonstrate how critical IT is to the business. No emails or phones working? How do you communicate with staff, suppliers and customers? Offshore monitoring systems down? Are lives at risk? Are your emergency response documents still accessible?
Focus on how much money the new controls could potentially save the organisation, not how much they cost, and talk about the potential reputational damage that will go alongside a cyber-attack. To put this in context, cybercrime is estimated to cost the British economy over £6 billion a year with the average cost to SMEs, which bear the brunt of such activity, as high as £25,000, according to the Institute of Directors (IoD). Figures released last year by the Department for Digital, Culture, Media & Sport highlighted that four in ten businesses and two in ten charities experienced a cyber security breach during the previous year.
3. Bring real life examples
Take a case study or two of real-life cyber-attacks, preferably from the same industry or sector you operate in. Show them how this affected the victim and what they could have done to help mitigate or prevent the attack. Don’t just focus on the high-profile cases, unless you can relate it back to your business. Make it real for them.
4. Relate it to business strategy
Find out and familiarise yourself with the overall strategy and objectives of the business. Show how the plans you have for security align with these goals and objectives or how the plans will help achieve them. Does the company have an environmental objective to protect wildlife, a staff incentive scheme based on zero accidents, a 24/7 customer help desk promise? Strong cyber security defences will ensure that monitoring systems continue to keep equipment and people safe, and that customer services do in fact remain open 24/7.
5. Propose solutions
Don’t just focus on the problem. Show the board that you have a solution to the problem. Let them know that you have something that will benefit the business that has been costed with a proposed start and completion date for implementation. Focus on the critical first, then later, once it has been shown to benefit the business you can start looking at the ‘nice to haves.’
6. Bring in a third party
Often management don’t believe the experts that they hire. It’s not until an external party come in and point out the shortcomings that they begin to listen. If you can, get an external organisation to carry out a vulnerability audit or penetration test to highlight the weaknesses. Don’t be afraid of the results, it’s more ammunition for you to take to the board for additional resources or investment.
Do your research, keep it non-technical, concentrate on solutions and tie this in with company objectives, after all it’s the same board that have signed these off in the first place.
Finally, security nearly always competes with other priorities in the business but as Russ Verbofsky, CIO and CISO at the New Mexico Department of Game and Fish said, “You can pay me today or tomorrow. But tomorrow includes a press release describing that we weren’t proactive in protecting our data and systems.”