Getting and maintaining executive buy-in and support for your cybersecurity program is never one-and-done. It’s an ongoing process that’s ever evolving, much like today’s modern threat landscape.
Getting your C-Suite on board, understanding why cybersecurity is important—and how their support and oversight is critical to success—is a foundation for building a mature, scalable, and efficient cybersecurity program.
Unfortunately, in spite of the continuing rise in cyberthreats, many organizations continue to underemphasize cybersecurity as a part of organizational resiliency.
In a recent Apptega webinar, we asked attendees to rate how strongly their executive leadership teams promote the importance of cybersecurity throughout the organization. Only 32% of respondents said it’s a strong priority, with another 68% indicating their executives either rarely discuss cybersecurity and when it’s talked about, it’s not in depth.
Modern threat landscape
If you work in cybersecurity, you might not be surprised to hear that leadership in some organizations share this shortsighted view of compliance and potential cyber-threats, but you also likely understand just how risky these perspectives can be. What we’re seeing across all industries is a growing number of cyber-attacks for organizations of all sizes. And while many professionals attribute increasing attacks to changing business environments sparked by the coronavirus outbreak, there are enough indicators to demonstrate this is a trend we may continue to see in the future.
Risk Based Security, in its 2020 Year End Report, which spanned Jan. 1, 2020 through Dec. 31, 2020, indicates that 2020 breaches exposed more than 37 billion records, which is more than 141% higher than the number of records exposed in 2019. It’s also the highest number of exposed records in a single year so far.
With all these risks and indicators, if your organization doesn’t yet have executive buy-in and support for your cybersecurity program, now may be a is the time to get them on-board. For some organizations, this will be an uphill battle, but
|With a few tried-and-true recommendations, you can sell the importance of cybersecurity up your management chain to build security as both critical and necessary for day-to-day business.|
But where do you begin? How can you get more executive buy-in to ensure you’ll have the time, tools, resources, and financial support to build a program that keeps your organization safe?
Executive buy-in importance
It all starts with understanding why you need executive buy-in to begin with. That conversation begins here: When it comes to building an effective cybersecurity program, it’s all about three core elements—ensuring you have the people, processes, and technologies in place to secure your organization.
That obviously requires investment, and the reality is, implementing effective cybersecurity isn’t easy, and it’s not cheap. A recent report from Statista Research estimates small to medium-sized businesses (SMBs) will increase IT spending this year, reaching $684 billion in 2021, up from $602 billion in 2018.
Executive buy-in is also important because you’ll need to cultivate a security culture throughout your organization. That’s because cybersecurity isn’t about just building a technology perimeter around your attack surface. That’s part of it, but you also need to ensure you have organizational buy-in about the role security plays in both short- and long-term success.
While organizations are maturing their cybersecurity practices, attackers are often evolving at equal of faster rates. They’re infinitely patient because a single successful breach after countless unsuccessful attempts can have an enormous payout, whether that’s in the form of financial payouts to regain access after a ransomware attack or if it’s the acknowledgement of traditional financial exposures and payouts for the targeted organization.
It’s also interesting to point out here that while we commonly think of attacks in the form of digital attacks, like email, we’re now seeing movement back to more traditional attempts, like social hacking over the phone, for example, when an attacker mimics another person’s identify and successfully tricks others into disclosing credentials or other sensitive information.
Although there is increasing data about the value of effective cybersecurity, many organizations still encounter roadblocks that impede success.
Even with the appearance of executive buy-in, one of the most common roadblocks is apathy. Still far too many executives think, “This can’t happen to us,” when, in fact, an attack can happen to any organization, regardless of size, or the volume or types of data processed within the company.
Every organization has assets that can be breached and those assets can give attackers the opportunity to exploit everything from personally identifiable information (PII) to other sensitive data, whether that’s for your business, your employees, your customers, or your partners. One breach with your organization can even put others at risk, for example, if an attacker successfully gains credentials that gives it access to third-party sites or supply chain partners.
Another common roadblock ties back to the topic of finances. Because establishing and maturing cybersecurity can be expensive, and because those expenses are ongoing and often compounding, many executives just don’t want to take the first steps toward program development. If you’re in this situation, it’s important to ensure that your executives understand the bigger picture—just how costly a single incident can be compared to a cybersecurity investment.
Drivers for executive buy-in
While these common roadblocks can impede success, there are also some great options for driving cybersecurity cultural adoption.
An increasing number of customers and supply chain partners now expect you to incorporate cybersecurity and data privacy into your operations. It’s no longer enough to just say you do it, but there is more emphasis on proving it, by meeting specific compliance standards.
If you can communicate customer expectations and how security can help drive more revenue and give your organization a competitive edge, the more likely it may be that your key stakeholders will tune in on what you say. Read the TeleNet Case Study to learn how they are using their cybersecurity program to gain competitive advantages and grow their business.
Change management can be another important driver for executive buy-in, which isn’t limited to large enterprises alone. Regardless of how large your organization is—or isn’t—it’s fairly likely you’re periodically going to introduce new technologies, or new policies and procedures. By including security in these conversations, you can help drive that executive buy-in with related business value.
So with this background on objectives, challenges and drivers of executive buy-in, let’s take a look at six quick recommendations you can employ now to get your executives on board with supporting your program.
1. Explain the current environment
It’s important to ensure your C-Suite understands exactly what cybersecurity is and how the modern threat landscape is changing. This is particularly critical if your organization is changing or scaling—for example acquiring other companies, adding divisions, or increasing the technologies you use.
But don’t get too technical. You’ll need to speak a language your executives understand. If you bombard them with fears, uncertainty and IT terms, you may stall before you get out of the starting gate.
2. Quantify the risk
To communicate effectively with your executives, you’ll need to speak their language, and that means aligning your cybersecurity risks to business objectives and your organization’s risk appetite.
Put it in business impact terms. Explain to your team members, giving real world examples, what could happen if you don’t invest in your cybersecurity program. There are a couple of effective ways you can do this. You could look at successful attacks on peer organizations. Explain what happened, why, and what full costs—financial, brand, reputation, etc.
While those examples can serve as good starting points, you may be able to get more buy-in by personalizing the risk to your specific organization. Show your executives what is currently happening within your organization—for example attempted breaches or other security vulnerabilities and issues—and then explain what could happen if they were successful.
3. Develop relationships with program advocates
While you need C-Suite support for success, you can solidify that support with a tone-from-the-middle approach. That means seeking out advocates for your program, particularly from mid-level manager who are responsible for interacting across your company for day-to-day workflows and activities.
By getting—and building—on peer support within your education, you may find it easier to get executive attention and with a groundswell of support, be one step closer to that culture of security at all levels. Demonstrate you have other employees outside of your team who understand the risks and support protecting the organization.
4. Consider a third-party
Sometimes, no matter what experience you bring to the table or how trusted you are, when you have an idea—even if it’s supported with data—you’ll run into issues getting your team aligned. This might be a good time to consider bringing in a third-party, like an auditor, or external pen testers to demonstrate the issues, concerns, or resource requests you have.
There are times, depending on your organization, where a third-party voice could carry more weight than your own. Don’t take it personally. Remember, your ultimate goal is to protect your organization, your company, and your team members, so considering using third-party measures to get that point across.
5. Simulate an attack
Successful security teams are always testing their defense parameters, for example, sending a fake phishing email or ransomware link to see if your employees will engage. A simulated attack can help you explain, in detail, exactly what could happen to your organization without cyber defenses.
Simulate an attack. See how your team members respond, and show your executives what damage could occur and what the worst-case scenario might look like for your company.
Simultaneously, if your processes are effective and working, you can use those results as a case study in why security is important and how it’s effectively keeping your organization safe.
6. Conduct a table top exercise—and bring in the execs
It’s one thing to explain cybersecurity to your team members—even if you’re using the right language and have it aligned to business risks—it’s another to see it in action. Unfortunately, many executives and board members don’t get this experience until there’s an actual event. Often, by that point, it’s too late to build on lessons learned. So don’t wait until an actual incident, conduct a tabletop exercise and bring your executives to the table.
Invite the C-Suite and give them roles and responsibilities, similar to what would be expected during an incident. Ensure they understand what their roles are and what could happen if they don’t understand what they need to do and when. These tabletop exercises are a great way to make concepts feed into reality without putting your organization at risk. If you are challenged to host effective virtual tabletop exercises, read this article blog with tips for Ensuring Effective Tabletops in a Virtual World.
Keep it Going
Building executive buy-in can be challenging, but you should never consider it finished once you get your team on board. As your team, business, and threat landscape change, so will your need to step up communication and tactics to keep your leaders engaged with your program.
Remember, you don’t need a real-life incident to get executive buy-in. Get ahead of attackers and start building executive buy-in to support a scalable more mature cybersecurity program for tomorrow.
Read this article for Five Tips for Presenting Cybersecurity to Your Board of Directors