It’s hard out there for an IT professional. IT managers know that a lag in security preparedness will inevitably lead to disaster. The challenge is communicating this to senior management in terms they can understand and that will lead them to making it a priority. Just ask the IT team at Target, who raised concerns to the C-Suite well before the retailer became a cautionary headline.
Security is important, but your C-suite has many moving pieces to balance: competing business initiatives, growth plans, and expenses. A good senior management team won’t wait for their board of directors to tell them what to prioritise, but it doesn’t help that boards are not yet fully engaged in this topic in their role as guardians of compliance.
According to PwC’s “State of Security” 2015 survey, despite the barrage of high-profile breaches in the news, fewer than half (42%) of respondents said their board actively participates in overall security strategy, and only 36% said the board is involved in security policies.
>See also: The digital agenda: A CFO’s secret weapon in the boardroom
You’ve set up the best defense you can, but now you need more money, tools and support. Here are six steps to help you win over your senior management team in order increase their involvement – and investment – in IT security.
1. Understand the business
Senior management will trust people who understand the short, mid and long-term objectives of the organisation. Bear in mind, it’s likely you’ll need to approach things differently if the company has a plan to move most of its business online or begin accepting credit cards for payment, for example.
Interview department managers to find out what network resources are required to meet their objectives. What failures would be particularly damaging from a reputational point of view? When you’re done with this step you should have a feel for the areas of cyber security exposure that you want to address and what assets are important to keep the business running.
2. Use independent verification
Once you believe you’ve identified what types of risks your company faces if critical systems are compromised, it’s time for an independent security audit to verify your beliefs.
The basic goal is to confirm exposures and to identify in more detail the areas of vulnerability. If using an independent third party to do this is too expensive, high-quality, open-source security scanning tools that you can use yourself are widely available online. This isn’t as comforting to an executive as an independent audit performed by an expert, but it’s better than nothing.
3. Figure out how to fix the problems
Now that you have thoroughly identified and independently verified where the issues are, the next step is determining what remediation consists of. This is where the rubber meets the road. Some problems are harder and more expensive to fix than others. You may need experts to help you in this process.
4. Prioritise based on probability and magnitude
What are the hard costs (direct costs like hiring security experts, litigation or revenue losses) and soft costs (like reputation or time spent by internal staff) if critical systems were hacked? This is the language the C-suite understands: time and money.
Weigh those costs against the probability that something bad will happen. You’ll want to address the high impact and higher probability areas first; this might seem obvious, but you’d be surprised how often this doesn’t happen.
5. Time to sell
At this point you have a plan and you want to get approval to move forward. When you present risks, do so in terms that are specific to your business and clearly identify the potential loss and the likelihood it could happen. Avoid jargon and don’t get too technical.
If you execute on all these steps, you will likely get the backing you need to get your organisation on solid cyber security footing. If you don’t succeed, keep trying and make sure you document the conversation you had with the decision maker.
6. Stay on top of it
You’ve done all the hard work, made a strong presentation, and (hopefully) secured the budget to implement a modern, dynamic security system that addresses key concerns. But your job is far from over.
Keep your security audit reports current, so you’re ready to give updates on your progress when you’re called up. Periodically run free tools and follow steps 3 through 5 on a regular basis
>See also: Why data privacy and security should be a boardroom issue
Hackers know companies struggle with the cost and complexity of properly securing their networks, making them prime targets. Organisations need to be proactive and not wait for a cyber attack to engage.
IT security professionals have a responsibility to walk senior management through the current state of security, explain the risks using business impact terms, and execute corrective measures as soon as possible.
Sourced from Rich Barber, CFO, WatchGuard
