We published an article recently about how many senior information security professionals, be they CISOs or CIOs, are worried about their systems being vulnerable to breach. One of the main problems is getting senior stakeholders, like the Board or the executive management team, to buy into your information security strategy. We shared a few approaches on how to address this ubiquitous problem.
See article: Cybersecurity budget: CISO advice for getting your Board of Directors to take notice
Achieving executive buy-in on information security policies is much more difficult than it should be despite all the press given to cybersecurity incidents. Some might argue that this increased publicity has helped IT teams secure the budget and resources they need to protect their systems, users, and sensitive data. I’m not so sure.
The cyber stories journalists typically cover are the more dramatic fails. It might be, for instance, a healthcare institution being the victim of a ransomware attack. There is a bad guy (in this case one threatening to delete or, worse, publish sensitive data), a victim, a threat, and, well, the story writes itself.
But here’s the problem. These types of threat can haunt senior teams within an organization, and give management a skewed vision of the realities of keeping the organization safe from these headline-grabbing attack types.
CISOs and CSOs know that a cyber incident, be it a data breach, DDoS attack, or a keylogger, can often be traced back to an instance of poor security hygiene within an organisation.
Typical problem areas, such as poor password management, poor application and service setup and configuration, unreliable patching processes and lack of network visibility, while not as hot a storyline, vastly increase an organization’s exposure to cyber risks.
In other words, attempting to reform an institution’s approach to information security is an increasingly difficult task, if you lack the proper support, expertise and experience.
Just consider the big breaches of 2017:
And more recently, issuing the correction during Hawaii’s recent missile false alarm was significantly delayed, partly because because the Hawaiian Governor misplaced his password for his Twitter account. The FCC has since declared that Hawaii lacked “reasonable safeguards or process controls” that could have prevented such a false alarm.
The takeaway is this: it is often the small things, tiny oversights of basic security practices that often open the gates to cyber hell.
Convincing senior stakeholders that engaging and buying into a preventative information security maintenance strategy will not only help to mitigate your concerns as a CISO or CIO, but will also put you in a position to comply with many more regulatory bodies as well as make you a much less attractive cyber victim.
One way to get the senior team to sit up and listen is to talk numbers. The Ponemon Institute reported that the frequency and costs of data breaches are climbing, with organizations facing costs in the $4 million region, a 29% increase since 2013.
Another angle is this: five months after one of the biggest security incidents ever, Equifax has still not recovered its share price. While it’s slowly ticking upwards, it’s still more than 10 percent down from $140/share back in September.
And it doesn’t end there. According to the Wall Street Journal:
“Equifax said in its third-quarter earnings call in November that it incurred $87.5 million in expenses tied to the breach it revealed in September. The incident involved personal information of potentially 145.5 million Americans.”
With stats like these, you are bound to get the senior stakeholders’ attention. Then you can start discussing the adoption of preventative measures.
Do you want some additional guidance to getting your senior stakeholders on board when it comes to information security? We can help you secure the budget and resources you need to properly secure your network, making you a vastly less attractive attack target.