IT Directors, CIOs, CISOs and Other Non-technical Decision Makers
As with any corporate relationship, the one between CIOs and CFOs depends on the organization. When it comes to making cybersecurity decisions, some companies are more IT driven with CIOs and CISOs taking the lead; other companies have CFOS and other leadership making the decisions. Budgeting also has an impact on these decisions. IT teams often have a budget for cybersecurity needs; however, CFOs will usually have the final say. For example, if a CIO needs a vulnerability management provider, they first choose the best-in-class option and then check in with the CFO to see if it is within the budget.
Challenges in Communicating the Value of Investing in Cybersecurity
Convincing CFOs and other decision makers of the importance of investing in cybersecurity can be difficult. These are often non-technical people who may not understand the risks associated with underinvesting in cybersecurity technology. What might seem like a simple line item to a CFO can mean significantly more to a security professional and it’s crucial that IT directors are able to effectively articulate this distinction.
Unfortunately, it usually takes a cybersecurity breach for some companies to truly realize the need for cybersecurity measures. More organizations need to give IT leaders stronger authority in the company to make decisions surrounding the security of the digital environment. IT directors need to be able to report to the top level of the company to set security policies for the entire organization. It’s problematic when non-technical leaders are making decisions about technologies they do not fully comprehend.
When approaching discussions about cybersecurity measures, it’s helpful to keep them in terms that CFOs and other leaders understand like financial implications or compliance standards. Adapting the cybersecurity argument to fit your industry can play a pivotal role in getting leaders on board.
How to Communicate the Value of Cybersecurity
IT professionals know that investing in good cybersecurity is critical to an organization, and it’s equally important to be able to effectively explain why to other decision makers.
When communicating with the CFO, focus on risk mitigation and the potential costs associated with those risks. These leaders are all about budgets and hearing the cost of a breach might be a key factor in obtaining more cybersecurity resources.
Key points for an IT professional to research and communicate:
- What is the cost of a breach?
- What is the likelihood of getting breached?
- What is the highest threshold for the cost of getting breached? The average threshold?
- What is the cost of cybersecurity for your business?
- What information do you hold that could be stolen in a breach?
- What are your industry standards/compliance requirements?
By doing this research, IT teams can have solutions ready for these questions. For example, the number of potential risks decreases as more security measures are put in place, so while it might be more expensive for your business to have a comprehensive plan, there is less risk of an even more expensive breach.
Knowing cybersecurity standards for your industry is also useful. Some industries like defense or healthcare have significantly more compliance standards (CMMC and HIPPA), and they each require specific security standards to be met. This can make security easier to “sell” to decision makers to avoid consequences for being non-compliant.
IT departments need a lot of coverage. There is a saying that for every 75 employees, an organization needs one IT person. For a company of 100 people, a company needs at least two IT personnel as well as an MSP (Managed Services Provider) to help fill any gaps. Companies with smaller IT departments will need larger budgets for external help, which is something to consider when communicating with decision makers. Typically, companies that get breached are usually underinvested in IT or invested in the wrong areas (not security).
Proving the Value of Cybersecurity
It can be difficult to prove the value of investing in cybersecurity. In a way, it’s easier to prove the negative impact of underinvesting. If an organization does not put enough resources into a comprehensive cybersecurity strategy, they will likely find out in the form of a breach. Organizations that are breached once will often be breached again because hackers identify them as easy targets.
The most effective way to prove that your security strategy is working is to show leadership what the team is doing. Report to leadership what threats you are tracking, show trends, demonstrate that the number of vulnerabilities for your company is decreasing, and report on the number of threats that have been stopped. Show how the network has been hardened and present an overview of the core security initiatives. Presenting the positive effects of the existing security can be great leverage when arguing for more resources.
Another way to prove your success is by investing in an annual 3rd party risk assessment to show that you take security seriously. When the assessment is complete you can create a report analyzing their results to show what is working, what could be improved, and what is missing. Then, you can continue to report on this on a quarterly basis. While an audit can be a big investment, it’s worth it. Organizations just need to be careful not to rely too much on audits, and to also utilize companies that are experts in cybersecurity, like Blue Team Alpha.
When communicating the value of cybersecurity to your decision makers, it ultimately comes down to this: what is the cost of not investing in strong cybersecurity? Even if you do everything right, you can still get breached. The more security measures you have in place, the lower the cost and faster the recovery time in the event of an attack.