Contributed by Steve Dickson, CEO of Netwrix
CISOs often struggle to convey the importance of security to executive leadership and justify additional investments for their projects, no matter how important they are. It is difficult to ingrain security principles into the wider business model, even though they are crucial for reducing the risk of incidents, such as costly data breaches.
So how can CISOs drive more attention to their security projects and build stronger communication with the board? For CISOs, this requires comprehending the challenges that the business movers and shakers are most concerned about, building discourse around these challenges, and convincing executives that the IT security team is capable of addressing them in concert with other departments.
By and large, there are three primary challenges that CISOs should keep in mind when talking to board members:
Business challenge #1: Increase revenue and velocity
Your responsibility as CISO is to defend the organization against cyber threats, while the board’s goal is to make the company grow and keep it away from regulatory and legal troubles. Although it is not always evident, these missions are interconnected, and you need to articulate how threat protection actually facilitates business growth. There are several arguments you can use.
First, no organization can grow without customer trust and loyalty, and a healthy security posture is a cornerstone of trust. In light of recent breaches compromising the sensitive data of millions of people, your clients and partners will surely value transparency into how your company uses and protects their sensitive data. By enabling you to do this job well, executives are giving themselves a powerful narrative for earning loyalty from a wide range of stakeholders.
Second, you should explain how you tackle security risks associated with compliance and legal issues that could hinder the organization’s growth.
Finally, you need to discuss how inability to respond promptly to incidents could damage the company’s revenue and reputation. The Netwrix 2018 IT Risks Report revealed that only 17% of organizations have an actionable incident response plan. This statistic is quite disturbing, since there is always the possibility of malicious actions and human errors. Therefore, you should develop a thorough incident response plan and explain to the board whether your organization is prepared to recover from incidents as soon as possible to minimize financial and reputational damage.
Business challenge #2: Build a solid business strategy
A strong business strategy must take into account the risks the organization faces, including the cyber risks. You are the one who should articulate how IT risk management can contribute to the company’s success.
First and foremost, you should conduct regular IT risk assessments to know the risks your organization faces and map them to business outcomes. When presenting the results of the assessment to the board, be ready to show a list of current and finished projects, summarize spending, and detail the return on the company’s investments in these projects (customer satisfaction, reduced costs, etc.).
Then you should highlight any risks that have not been properly addressed and suggest action plans for remediating them. Be sure to identify stakeholders from the board and explain their roles in executing these plans. This approach will likely enable you to gain support for your initiatives from the individuals accountable for risk, as well as nurture risk-based thinking among the leadership.
In the long term, board members will get used to making decisions in the context of the company’s cybersecurity risk exposure, rather than in the context limited by their separate functions. This means that security will no longer be an afterthought for them. Instead, when they develop a new project or product, they will ask for your expertise to ensure that their initiatives won’t pose unnecessary security risks to the company. This mindset is extremely important for having a healthy and risk-resilient business strategy.
Business challenge #3: Save time and cut costs
Being able to demonstrate how your security initiatives can help the business reduce time and slash costs on certain processes is the best way to show your department’s efficiency. It is especially important when you are asking for more budget. To support your argument, I recommend having a metrics-heavy dialogue.
For instance, suppose you plan to implement a solution for data discovery and classification in order to enhance the security of sensitive information. Explain how this solution will not only help the company avoid costly data breaches, but also refine data management processes and make data easily searchable, so employees will be able to perform certain routine tasks X times faster and the company will not have to hire additional employees. On top of that, the VP of marketing will be happy to hear that the investment will help their team purge lost and unengaged leads and focus their efforts on relevant leads, thus optimizing time and money spending across the department.
If you present the value of your current and future projects this way, the chances that you will get the investment you request will be very high. Moreover, you will demonstrate that you are not a geeky amateur, but a leader who knows how to count money and is eager to help the company optimize its budget spending.
By focusing on issues that matter to your board and presenting security as a business enabler, you will get executive buy-in for your initiatives. In the future, this approach will help you extend your influence beyond the server room and enable you to establish a solid security posture that ensures the company operates and grows in a risk-based way.
The opinions expressed within this article are the personal opinions of the author. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.