Addressing cybersecurity matters can be a constant struggle…especially when the act seems “unprofitable” when compared to “profitable” business investments. Cybersecurity is not a simple IT issue, but a “boardroom” issue that you need to convince your leadership to take seriously.
A robust cybersecurity program requires enterprise-wide leadership buy-in. Leadership must recognize the risk presented by inadequate cybersecurity and invest human and budgetary resources to protect it.
So…here’s how to do it!
Make a business case for cybersecurity
Speak their language. Boards and execs care about bottom lines and mission-critical operations. Explain how cyber risks threaten those two fundamental business goals, and you’ll have their full attention…and resources.
Give them examples. A data breach can cause monetary, legal, and/or reputational damages. Did you know that the average data breach costs about $3.6 million dollars? Share that fact, then mention that the 2017 Equifax breach could cost the company $400 million. That’s a real-world problem no one wants.
Talk numbers. $11.8 million’s a pretty big number, especially when it represents the potential cost to an organization that falls victim to a business email compromise scam (phishing email). In this case, staff members changed vendor routing information and transferred $11.8 million to an unknown account after receiving fraudulent emails instructing them to do so. Sadly, the fraud went unnoticed until the real vendor complained about non-payment.
Protect your reputation. Monetary damages can be estimated, but the damage to a company’s reputation is difficult to quantify because it’s based on things like loyalty and consumer feelings. But don’t dismiss the potential harm here. A data breach can be a public relations disaster. In one of our recent posts, we explored how a breach can ruin your reputation and cost you customers. Companies are often slow to spot an unauthorized access and then respond inadequately. The bottom line – lost sales, poor press, and potentially almost a 70% drop in customer loyalty.
You can’t afford to lose that business.
Tips for making your case
Make it personal
Remind executives that they, too, may be liable to the company, its investors, and other stakeholders if sensitive information is stolen. Additionally, execs may come under fire if shareholders file class action lawsuits related to data security, and data breaches can also trigger regulatory investigations and follow-on consumer lawsuits.
For example, after the Yahoo! breach, which disclosed the personal information of billions of Yahoo! consumers, shareholders filed a class action lawsuit against Yahoo! and some of its directors and officers for mispresenting the company’s data security status in its financial disclosures. The lawsuit was recently settled for $80 million…and the company and its execs are jointly obligated to pay it.
Get a dedicated budget for your department
Cybersecurity investment can be an afterthought, but explaining your specific needs and requirements will help you get the resources you need. Being specific about your organization’s needs makes the risk real and your request persuasive. Executives are more likely to open the checkbook when you provide estimated and specific numbers, explain why your solution is the right one, and elaborate on what it will do for your organization. Show that the benefits outweigh the costs!
Promote quality communication between IT and execs
Good communication stems from a good relationship, so make sure the relationship between top executives and your IT department is strong. Encourage candor and an open exchange of information. Executives must know that IT has a direct line to the board, so that risks and status reports can be communicated accurately and regularly. Tip: Always be concise and direct when communicating with busy executives.
STAY CURRENT AND IN THE KNOW – FREE WEBINAR 3/21/18
The days of data security being an “IT problem” are over.
Join us for a free 60-minute webinar on March 21 at 1:00 ET titled “Reducing Data Security Risk from the Top Down.” We’ll focus on data security responsibilities for boards and executives and best practices for improving the organization’s ability to protect its mission-critical data.
Who should attend:
- Privacy and compliance officers
- Risk managers
- Security, technical, and support staff
- General counsel and other in-house legal staff
- Board members
Event ID: 2006
Event Password: 9870
This webinar is pre-approved for 1 CPE unit.