Getting buy-in for cybersecurity strategies like implementing a Zero Trust framework isn’t easy. You have to convince executives and boards that spending more on cybersecurity is justified, but you’re often talking to a non-technical, skeptical audience.
The C-suite and board members are likely to see cybersecurity as an abstract concept. It’s often seen as a tech issue rather than a business issue and perhaps an unnecessary luxury as opposed to something necessary to spend on.
This runs contrary to the reality that security experts see happening, which is growing and evolving threats that are increasingly sophisticated and impactful.
The COVID-19 pandemic led forward-looking companies to significantly increase their cybersecurity budgets, especially with more remote work.
Still, there are also many other organizations that are trying to cut back on unnecessary spending in the face of instability and uncertainty.
Heads of IT will have to be increasingly persuasive to show the value of increasing or spending on a cybersecurity budget.
Understand that boardrooms are sick of hearing about growing cybersecurity threats if all they’ve seen so far are things operating smoothly. Often boards think they’ve given more and more money to put toward cybersecurity, but all they get in return is requests for more.
The following are things to keep in mind as you’re selling your boss or the board of your company on why spending on cybersecurity should be a key strategic priority.
Approaching People Who Make the Decisions
You have to realize that the board or the executives you’re discussing your cybersecurity strategy with are going to be looking at financials first and foremost. That might even be all they’re looking at, whereas your IT team is likely to calculate things like risk scores in decision-making.
You have to present the potential impact of cyber threats to executives in the financial language they speak. Focus on ROI rather than calculations of probability.
You need to draw a clear line to what they’re investing in.
For example, when the organization is investing in cloud-based security and remote collaboration, show how it’s going to help people who are working from anywhere be more efficient. Show how security and investments in tech have the potential to reduce downtime and protect the company from phishing, data loss, theft, viruses, and malware.
There is some understanding on most people’s part about the effects of ransomware attacks, so this might be a place to focus. There have been high-profile instances of ransomware attacks on major companies in the past couple of years, so an emphasis here could tend to resonate best.
The loss of data could lead to significant financial losses for a company, and this is something else you need to be prepared to convey to decision-makers.
What Does It Mean to Speak in Financial Terms?
Quantify cybersecurity risks and threats, and then offer a calculation for the effectiveness of your proposed threat mitigation solutions.
One way to speak to decision-makers in financial terms is to provide specific details on the most pertinent threats, along with mitigation approaches and their likely effectiveness. You can integrate into your figures the cost of education, employee downtime, and particular software or technology solutions.
Run simulations to show the best combinations.
Present An Exercise
To get the attention of the people you’re asking for more money, you might want to run an exercise based on an actual ransomware scenario. Explain how something similar could affect your organization, and then show the detailed measures you want to take to avoid it.
Be thoughtful in choosing the most relevant and realistic exercise.
The goal of presenting an exercise is to get executives and the board to ask questions about cybersecurity, contingency plans, and network security.
Then, if and when they do that, you have the chance to show executives information in a way that’s digestible and can be used to base decisions on.
You can show them where you’re lacking, where you’re doing well, and where your budget will go to bolster your weaknesses.
Don’t be an alarmist when you’re presenting scenarios. Management is likely tired of the scare tactics. Again, if nothing has happened so far, they’re going to be especially turned off by alarmism. Real-life scenarios can help you avoid being an alarmist.
Have a Defined Spending Plan
If you’re able to get the attention of the board, you need to be able to back everything you say up with a targeted, responsible spending plan. You shouldn’t request a budget and then have nothing to show for how you plan to allocate it.
You have to be seen as a responsible spender if you want to maintain credibility.
With this, be ready to explain how you’re going to define and measure ROI. It’s tough to quantify security spending, so you need to potentially get creative. You’re weighing investments against the possible impact of not investing in cybersecurity, so how are you going to justify all of your spending accordingly?
Don’t speak in highly technical terms or use jargon. Speak in business terms. Your biggest goal when presenting anything to executives or the board is to speak as a business person rather than a tech person.
Could a lack of security reduce revenue and profit? Talk about that.
Prioritize What You’re Asking For
Don’t go into a situation planning to ask for everything all at once. It’s overwhelming, especially to a non-technical audience. Narrow requests with a focus on the most pressing vulnerabilities.
Finally, don’t forget about the regulatory elements of cybersecurity, which is something that may be easier for your boss or the board to digest. They do understand non-compliance costs, so if it’s relevant to the case you’re making, talk about the growing worldwide data regulations and how much you could end up spending in a situation of non-compliance.
That’s something that’s easy to put a number on, so it can be a useful part of making a compelling spending case.