Convincing The C-Suite To Fund Cybersecurity Projects
These discussions can be particularly complex when addressing nuanced concepts.
For a long time, it appeared that only large corporations were at risk of serious data breaches or ransomware attacks. However, the threat landscape has expanded to include the public sector, mid-market companies, and even smaller businesses. With increasingly complex and sophisticated exploits, such as supply chain and API compromises, the cybersecurity landscape has drastically changed. Unfortunately, many executive teams have yet to adopt this new perspective.
Convincing the C-suite to invest in cybersecurity initiatives is a significant challenge. IT leaders often face an uphill battle trying to align executives with the costs associated with substantial security upgrades. These discussions can be particularly complex when addressing nuanced concepts like updating the company’s cybersecurity to align with a zero-trust or NIST framework.
Many executives still operate with a traditional on-premise IT mindset, viewing any investment as a one-time amortized cost followed by a return to the baseline operating budget. As IT leaders, we understand that this is no longer the case. Even hybrid solutions typically involve a monthly per-user or per-seat licensing model, transforming what was once a fixed cost into a fluctuating ongoing operating expense.
So, how can you successfully raise awareness among the C-suite to secure the necessary funding?
Business leaders need to grasp the growing urgency of evolving cybersecurity threats. It is our responsibility to educate them about the frequency, severity, and sophistication of cyberattacks. Here are several effective approaches for conveying this message.
Industry Data
It is relatively easy to find statistics on the increasing number and cost of cybersecurity attacks. However, executives frequently overlook such data, having become desensitized to the news.
I recommend discussing the methods by which these attacks proliferate, rather than sticking to just a macro view of the state of the industry. Identity and Access Management is an excellent starting point. Executives tend to pay attention when informed that most cyberattacks result from impersonation or credential compromise. This naturally leads to a conversation about zero trust. I once presented the results of periodic phishing tests to senior leadership, and their jaws dropped upon seeing the high failure rates. This sparked immediate interest in understanding more about the risks and implications.
Privacy Regulations, Liability Insurance And Customer Requirements
Many CEOs and CFOs are aware of global privacy regulations like the European General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). However, it is less common for executives to fully understand the requirements necessary for obtaining comprehensive liability insurance or cybersecurity coverage. Additionally, most customer and vendor contracts contain information security addendums with similar stipulations.
As IT leaders and advisers, it is our responsibility to educate the C-suite on the risks of not adhering to these essential clauses in laws and contracts. Non-compliance with regional privacy regulations can result in significant fines and operational restrictions. Failure to align your cybersecurity program and incident response plan with those of your insurance carrier could lead to the denial of claims related to data breaches. The inability to meet procurement requirements could result in the inability to respond to RFPs, submit SOWs, or open purchase orders.
Periodic Testing And Benchmarking
Most IT teams utilize some form of real-time, cloud-based monitoring service or conduct regular penetration tests and vulnerability scans. However, it can be challenging to explain the findings of these activities to non-technical executives. Instead, I find it more effective to align these tests and other cybersecurity ratings with those of peers and similar businesses.
There is ongoing debate about the value of benchmarking as a roadmap for security programs. Nonetheless, I find it valuable to show executives how your defenses compare to those of competitors. By establishing security benchmarks, you can help executives better understand security gaps, estimate the funding needed to address them, track remediation efforts, and evaluate the effectiveness of these efforts. This can help the C-suite see security as a competitive advantage rather than merely a cost center.
Keeping Security In The Spotlight
In 2023, the SEC adopted new rules requiring public companies to disclose material cybersecurity incidents and mandating that a board member actively engage in cybersecurity oversight. Most investors and private equity firms have followed suit. This has sharpened executive focus on cybersecurity but also highlighted the experiential gap between executives and technology staff.
IT leaders must keep the conversation alive to secure executive buy-in for investing in security frameworks such as zero trust. To maintain their interest and commitment, I recommend tactics such as regularly updating real-world incident statistics, conducting ongoing security risk assessments, and presenting the results of benchmarking efforts. By continually providing current data and real-world examples, you can demonstrate the evolving nature of cyber threats and the effectiveness of cybersecurity measures in mitigating these risks.