It’s hard out there for an IT professional. IT managers know that a lag in security preparedness will inevitably lead to disaster. The challenge is communicating this to senior management in terms they can understand that will lead them to making it a priority. Just ask the IT team at Target, who raised concerns to the C-Suite well before the retailer became a cautionary headline.
Security is important, but your C-suite has many moving pieces to balance, such as competing business initiatives and growth plans and expenses. A good senior management team won’t wait for their board of directors to tell them what to prioritize, but it doesn’t help that boards are not yet fully engaged in this topic in their role as guardians of compliance.
According to PwC’s State of Security 2015 survey, despite the barrage of high-profile breaches in the news, fewer than half (42 percent) of respondents said their board actively participates in overall security strategy, and only 36 percent said the board is involved in security policies.
You’ve set up the best defense you can, but now you need more money, tools and support. Here are six steps to help you win over your senior management team in order increase their involvement – and investment – in IT security:
- Understand the business. Senior management will trust people who understand the short, mid and long term objectives of the organization. Interview department managers to find out what network resources are required to meet their objectives? What failures would be particularlydamaging from a reputational point of view;
- When you’re done with this step, you should have a feel for the areas of cybersecurity exposure that you want to address and what assets are important to keep the business running. Bear in mind, it’s likely you’ll need to approach things differently if the company has a plan to move most of its business online or begin accepting credit cards for payment, for example;
- Use independent verification. Once you believe you’ve identified what types of risks your company faces if critical systems are compromised, it’s time for an independent security audit to verify your beliefs. The basic goal is to confirm exposures and to identify in more detail the areas of vulnerability. If using an independent third party to do this is too expensive, high-quality open source security scanning tools that you can use yourself are widely available online. This isn’t as comforting to an executive as an independent audit performed by an expert, but it’s better than nothing;
- Figure out how to fix the problems. Now that you have thoroughly identified and independently verified where the issues are, the next step is determining what remediation consists of. This is where the rubber meets the road. Some problems are harder and more expensive to fix than others. You may need experts to help you in this process;
- Prioritize based on probability and magnitude. What are the hard costs (direct costs like hiring security experts, litigation or revenue losses) and soft costs (like reputation or time spent by internal staff) if critical systems were hacked? This is the language the C-suite understands: time and money. Weigh those costs against the probability that something bad will happen. You’ll want to address the high impact and higher probability areas first; this might seem obvious, but you’d be surprised how often this doesn’t happen;
- Time to sell. At this point you have a plan and you want to get approval to move forward. When you present risks, do so in terms that are specific to your business, and clearly identify the potential loss and the likelihood it could happen. Avoid jargon and don’t get too technical. If you execute on all these steps, you will likely get the backing you need to get your organization on solid cybersecurity footing. If you don’t succeed, keep trying and make sure you document the conversation you had with the decision maker; and
- Stay on top of it. You’ve done all the hard work, made a strong presentation, and, hopefully, secured the budget to implement a modern, dynamic security system that addresses key concerns. But your job is far from over. Keep your security audit reports current so you’re ready to give updates on your progress when you’re called on to do so. Periodically, run free tools and follow steps three through five on a regular basis.
Hackers know companies, especially small to mid-sized enterprises, struggle with the cost and complexity of properly securing their networks, making them prime targets. Organizations need to be proactive and not wait for a cyberattack to engage. IT security professionals have a responsibility to walk senior management through the current state of security, explaining the risks using business impact terms, and execute corrective measures as soon as possible.
Prior to joining WatchGuard, Richard Barber served in several executive level finance roles, including senior vice president and chief financial officer of Insightful Corporation, a public software company, and CFO of FullPlay Media Systems, another public hardware and software company. Most recently, Barber served as CFO for MOD Systems, Inc., a privately owned digital media software company. He also served as an independent financial consultant to high-technology companiesand held various positions, the last of which was senior manager, at KPMG LLP.