It doesn’t matter how big your organization is, cybersecurity is a mission-critical part of your business infrastructure that not only protects you from hackers but keeps your customers (and their data) safe as well.
The challenge with cybersecurity, like with most things IT-related, is that it’s often not seen as something that you need to keep investing in by leadership. What happens, though, is that even if you have a basic system in place, the landscape changes so often (both the threats that come from criminals and the requirements of governments change all the time), that if you don’t keep investing in cybersecurity, it’s just a matter of time before you suffer from a data breach.
Data breaches and other cybersecurity incidents have a tendency to not just cost your business a lot of money in regulatory fines, lost business, and the cost of getting running again, but they also destroy the trust that your customers have in your business. So even if you do get things back online, you’ll struggle to convince customers that you can be trusted.
That’s why it’s important to get buy-in from the top.
What can you do to get leadership to invest in cybersecurity?
The interesting thing about getting push back from the top about investing in cybersecurity is that strong security on its own is often enough to stand out from the competition who haven’t done a great job with it in the past. And, if you can position yourself ahead of incoming changes to regulations (like GDPR, California Consumer Protection Act, etc.), you can be seen as visionary.
Here are a few tips that you can use to reduce that friction and get the buy-in you need to have a leading-edge cybersecurity program in your business.
Speak their language
IT and leadership don’t really speak the same language. That shouldn’t be surprising. Each group has its specific acronyms and things like that. So, the challenge becomes trying to find a way to speak their language when talking about security, or at least something closer to their language.
This means leaving behind all the usual IT jargon that you’d use when talking to your colleagues and focusing on the business impact of cybersecurity. Talk about the leadership team’s business objectives and how they might be affected by a security incident. Walk them through how stronger security can help them meet those business goals and how they can even set the business apart from others by having stronger security.
Help them understand the current threat landscape and how your current systems may be exposed
This is probably the one thing you can do that has the most impact on getting buy-in from leadership. Sometimes, you can talk about the benefits of doing something until you’re blue in the face and people just aren’t going to listen. They’ve heard all the talking points before. They know the benefits. And, despite that, it still feels worth it to them not to invest.
When that happens, try looking at what could go wrong if they don’t invest in cybersecurity. Start by highlighting the current threat landscape. For example, if your business went remote during the COVID-19 pandemic, talk about the increase in attacks that have happened since 2020 and how it’s been affecting businesses of all kinds.
Not only that but when you factor in the remote work aspect of things, you may be suddenly faced with a threat matrix your business hasn’t had to cover before. If you’ve just given your team access to a virtual private network (VPN) that allows them to access your network remotely, you’re only covering a small part of it. You also need to consider physical security for a team that is no longer in one place. You must consider what distraction and exhaustion may be doing to people who’ve been at home with kids.
You don’t want to scare leadership into acting, as that won’t end the way you want it to. Instead, you want education to be front and center.
You can really drive this home by running simulations. These are safe demonstrations of what could happen to your business as a result of a cyberattack. They’re designed to showcase the weaknesses that exist, whether they’re known or not, and they really help drive home the amount of damage that can be done by even a basic attack. They’re an excellent way to highlight all the unknown holes in your system, without having to first suffer a cyberattack.
Tie security to strategic business goals
We hinted at this in an earlier section, but the more you can focus on how your business is better positioned to meet specific business goals, the easier it’ll be to get the buy-in you need from leadership.
When you tie the investments to specific goals, like increasing customers or increasing customer lifetime value, you make it easier for those in charge to directly tie their investment to more revenue. Better yet, demonstrate what can happen to your strategic goal if you do suffer some kind of cyber attack (we’ll touch on this again later).
The goal is to make sure that leadership sees a direct connection between the amount of money being spent on security solutions and improvement in your business, either in terms of increased revenue, better customers, or a stronger reputation.
Identify strategic areas to invest in
Building off the idea of tying the investment to specific business goals, is finding specific areas where investments can be made.
For example, if you’re releasing a new app, application security might be an option. Highlighting the need for a web application firewall for your new product can be just the thing you need to get more buy-in.
Similarly, if you’re a business that has an online payment gateway, investing in enhanced security around that can help you stand out from the crowd, especially if all your competition is using a bog-standard approach that provides protection, but doesn’t go above and beyond.
The more you can identify specific use cases that can be connected to business goals, the easier it’ll be to convince leadership to invest.
Have data ready to prove your point
Business leaders love data. It helps them understand concepts in a tangible way because it offers a direct connection to what’s going on in their business.
That’s why the more data you can bring to the table, the better. And not just data about cyberattacks in general. Stats are great, but they’re also generic and don’t specifically apply to your business (even if they’re from your industry).
Instead, bring data from your business and show leadership the numbers around how many cyberattacks you’re stopping on a regular basis. Talk about the kinds of attacks that you’ve been seeing, any trends you and your team have been noticing, and focus on what’s changing. If you can, show how little it would take to overwhelm your current system. For example, if you’re blocking X number of credential stuffing attacks a month, what would happen if that were to suddenly double? Credentials are inexpensive enough these days that a spike can happen at any time. If you don’t have a system that can keep up, your customer’s accounts are going to be stolen right out from underneath them. That’s going to cost your business money to fix the problem and it’s going to destroy the trust your customers have in you.
When all else fails, bring in outside experts to help demonstrate the true value of investing in cybersecurity. Sometimes, you hit a saturation point when talking to leadership about what they should be investing in. They’ve heard you cover the same talking points too many times and their eyes just glaze over when you start talking (maybe not really, but it can feel that way sometimes).
That’s where outside experts come in. They haven’t been talking your boss’s ears off about cybersecurity, they’re a new perspective to an old problem. Not only are they a new perspective, but a good team can come in, talk about emerging trends, provide data to back everything up, and even help you run simulations that showcase the threats that your business faces and the damages that an attack could do.
And, because they’re being paid by your company to talk to leadership, there’s a better chance that the exec team will listen and implement the suggestions that they’re making.
Need expert help?
If you’re at the point where bringing in an outside team is what your business needs to get buy-in on cybersecurity matters, you’re in luck. Our team has been sitting at the cutting edge of cybersecurity for more than 20 years. We’ve been tracking the changes in industries and regulations while helping our clients get the buy-in they need to implement world-class security solutions that not only protect businesses but also customers.
Ready for some help? Let’s talk today.
Kaytuso – the cybersecurity & regulatory compliance division of ManhattanTechSupport.com LLC.
Exceed Digital – the custom software development and business intelligence solutions division of ManhattanTechSupport.com LLC