The digital transformation of the last two decades has placed cybersecurity front and center on the CEO agenda. Customers now place vast quantities of personal information into the hands of businesses, with the expectation of a certain amount of privacy and confidentiality in exchange. The ability to meet this expectation is crucial in order for a business to retain customers and build its brand.
And with a string of successful corporate and government hacks making devastating headlines over the last few years, everyone from the C-suite down to rank-and-file IT is aware that a single security breach can cost a company its reputation, millions of dollars, and plenty of jobs.
Unfortunately, not everyone is on the same page about how much more security is needed to prevent and mitigate risks, where it’s needed, or how to invest in improving security posture. Getting your CEO on board with your security experts’ advice is crucial. This series of blog posts will help you figure out how to discuss security with your corporate leadership so that you can get the solutions your company needs.
Beginning the Security Discussion
The first step to communicating with your CEO on security is to understand what your security situation looks like from the CEO’s perspective. Unfortunately, in many cases, that view is far rosier than the reality you see down on the ground.
The high-profile hacks of the past few years have made your CEO well-aware of the importance of cybersecurity and the consequences of a security incident. Forward-thinking CEOs already understand that they should prioritize the protection of corporate, customer, and employee data. This means investing in prevention and being ready for remediation. However, not every CEO recognizes the urgency of today’s security situation—and it’s easy to understand why.
To the non-technical CEO, the complexities of security can be daunting: the concept of “security threats” looming ominously, yet inescapably, over the corporation. Meanwhile, with other priorities like sales and revenue, product R&D and innovation, profitability and operational efficiencies, and overall growth on his or her plate, your CEO may see security as simply another project for the IT cost center. Afterall, it isn’t always easy to project the impact of a security incident on stock prices.
When discussing security with a CEO, your job as your company’s security champion must be to show exactly why security isn’t just an IT project, but should be viewed as a corporate and C-level mandate and critical enough for your CEO to remain engaged, aware, and continuously involved in monitoring the situation. After all, the effects of a security breach ripple far out from the servers at the epicenter. A breach can lead to severe brand damage, lost customers and sales, and falling stock prices .
76 percent of CIOs and 55 percent of CEOs feel confident in their current cybersecurity plans, according to CSO Australia. Yet according to other studies, these same people also admit to being vulnerable to attack, with nearly a quarter unsure if they have already been attacked. In 2015, according to the same ISACA/RSA report, 24 percent of surveyed security professionals didn’t know whether any user credentials had been stolen from their organization. 75 percent worry that an attack could come through a weakness in their supply chain.
And yet, despite all evidence to the contrary, the mindset appears to be “it won’t happen to us,” a mindset severely detrimental to critical security initiatives in need of funding. Measures like identity management access controls and governance require continuous investment and commitment as the threats are constantly evolving. It is your job to help your CEO understand how perilous the security situation is on the ground at your organization and the investment needed to strengthen your security position.
Aligning Security and the C-Suite
The problem you must solve lies in a lack of alignment and clear communication between on-the-ground security and the C-suite. In speaking with executives about the importance of investing in the right security, your most effective approach is to frame the topic as a business rather than a technical issue.
Risk should be the driver of the conversation: Security can directly and severely impact the bottom line, and that’s a fact that deserves honest discussion. Your CEO, the rest of your C-suite, and your board need to engage in a constant evaluation of the security risks facing the company and how your organization can identify and resolve problems. These discussions are crucial to achieving alignment on the company’s position, key risks, and optimal spend.
Corporate leadership not only needs to be on board with your security strategy, but needs to feel a strong sense of ownership. Without this alignment, your department will be disastrously limited in how much can be achieved, not just in protecting the company, but also in enabling greater business growth.
With the right technologies and process, a greater security position can empower business users to more effectively collaborate and innovate, make smarter decisions, work more effectively toward goals, and engage with customers. Ultimately, security can make it easier to do business with the company by establishing trust. None of that will happen, however, unless you can bring executives on board and make security a true team effort.
And it has to happen now. Today’s already hazardous threat landscape is only going to become more dangerous as more users enter more connected environments. Add the Internet of Things and, further down the road, artificial intelligence, and the attack surface is poised to expand dramatically. Take action before that happens.
Ready to learn how to get your CEO on board with your organization’s true security needs? Stay tuned for the next installment of our series. We’ll delve deeper into the problems caused by executive overconfidence in your information security program.