Most business leaders are not experts in data security, or any IT-related field for that matter. Their attention is typically focused on streamlining business operations in order to maximize profits.
If they can avoid spending money on endeavors that are unlikely to yield any kind of ROI, they will. Face it, data protection doesn’t typically yield any noticeable returns. It’s simply something we must do.
Data security is a complex field, and as attack vectors become increasingly more sophisticated, it doesn’t look like it’s going to get any simpler. In fact, even the experts find themselves struggling to identify the most effective strategies to keep our data secure. As such, business leaders may be inclined to shy away from the subject.
If this is the case, and it probably is to some degree, IT managers will need to take some responsibility for the situation. They will need to improve their communication skills, and remember that not everybody has a degree in IT. Not everybody is familiar with the technical terms, acronyms, and buzzwords that us IT folk tend to throw around.
It’s also difficult to know how to budget for cyber-security. Sure, the more we spend, the better chance we have of keeping our data secure, thus lending justification for a constantly expanding budget. However, a line must be drawn somewhere, and we do not really know where that line is.
IT managers should consider the following points before launching an appeal for more financial support.
Avoid the Technobabble
When something is familiar to you, it can be hard to imagine that it’s not familiar to someone else. This is a common mistake made by those who work in IT. Before approaching any senior executives, it is a good idea to practice what you are going to say in advance.
Do what you can to strip out any unnecessary industry specific terms, and instead focus on helping them understand the costs and the benefits of bolstering their security posture.
Point Out the Average Cost of a Data Breach
Providing a theoretical explanation of the importance of cyber-security is probably not going to be enough to capture the attention of senior executives.
IT managers will need to provide real-life examples of the costs and consequences of a data breach. For example, according to a commonly cited study carried out by IBM and the Ponemon Institute, the average total cost of a data breach is USD 3.92 million.
Business leaders may not understand the jargon but using these figures you can help them understand that a failure to act could turn out to be very costly.
Highlight the Importance of Security Awareness Training
Business leaders need to be made aware that cyber-security is everyone’s responsibility, even theirs. Basically, anyone that has access to valuable company data must play their part in keeping it safe. Try to convince senior executives to introduce a mandatory security awareness training program, and even ask them to attend.
Doing so will give them a better insight into the nature of data security, and the challenges that need to be confronted. Not only that, but executives will probably be more receptive to such demands, as it doesn’t mean taking on (and thus paying) additional employees.
Talk about How Automation Can Be Used to Save Money
It goes without saying that business leaders will be interested in cutting costs, and improving the efficiency of their business operations, and the use of automation technologies is a great way of doing that.
Put together a list of tools and technologies that can be used to automate processes that would otherwise be carried out by the security team.
Spend some time compiling figures to explain how those tools could save X amount of money over the course of Y years.
Explain to Executives That Most Data Breaches Are Caused by Insiders
The understanding that many people have about cyber-security, is that it’s a game of preventing the bad guys from getting in. However, the surprising reality is that a significant portion of security threats originate from within.
For example, according to the 2019 Data Exposure Report, of the 38% of companies that admitted to experiencing a data breach in the previous 18 months, half cited employee actions as the cause. Not only that, but even if most security threats did originate from outside, perimeter defense solutions are considerably less effective than what they once were.
This is largely because IT environments are becoming increasingly more distributed. More people are working from home, and more organizations are adopting cloud solutions. As such, organizations would be better to adopt a more data-centric approach.
Fortunately, it’s no longer necessary to invest in a full blown SIEM solution, which are not only expensive, but require specialized skills to install, use and maintain.
Instead, you can purchase a sophisticated, yet easy-to-use Data Security Platform, which provides similar functionality for a fraction of the price and complexity. Again, this is something which needs to be explained to senior management.
Explain the Reputational Damage That Could Be Caused by a Data Breach
As they say, it’s not a question of if, but when a data breach will occur, yet many companies still believe that it will not happen to them. However, were an organization to fall victim to a breach, and the breach became known to the public, this could damage the company’s reputation, and lead to a loss of trust in their ability to keep their data secure.
How the company responds to a security incident is also relevant. If, when questioned about the incident, they are not able to reassure their customers that they know what caused the incident, and have taken the steps necessary to address the problem and prevent it from happening again, this will further erode their customers’ trust.
Again, business leaders must be made aware of the importance of being proactive, as opposed to waiting for an incident to occur and then throwing money around in the hope that it will blow over.
Talk about regulatory fines and lawsuits
Governments across the globe are waking up to the importance of cyber security. If company executives don’t follow suit, they will end up falling out of alignment with the current data protection laws, and thus potentially face fines or lawsuits.
For example, under the GDPR, fines can be as much as 20,000 euros, or 4% of annual turnover. Since business leaders are primarily focused on profits, knowing that they may have to shell out large amounts of money on fines, could be enough to turn their heads.
Use COVID-19 as an Excuse to Ramp-Up Spending
Increasingly more employees are working from home as a consequence of the social distancing measures that have been put in place during the current health crisis. Not only that, but cyber-criminals have sought to use the crisis as an opportunity to launch phishing attacks, and other COVID-themed cyber-attacks.
The current pandemic could be a great opportunity for IT managers to lobby senior executives for more investment in data security. Of course, I’m not suggesting that IT managers should resort to scare tactics, but…