Getting Buy In At The C-Level
With the plethora of data breaches in recent months, especially the high-profile Target incident, the topic of breach prevention may now be on the minds of more CEOs and boards of directors. But getting buy-in for funding still requires educating executives on the risks that could have a material impact on the business and raising awareness of critical data security issues.
“[Breach prevention] has certainly garnered attention with executives,” says Matthew Speare, executive vice president of governance and integration at Regions, a bank holding company with $117 billion in assets. “It cost the Target Corp. CEO his job. However, the latest rash of breaches and vulnerabilities is merely a reminder of how diligent we have to be on a daily basis to architect and implement secure systems.”
Assess Your Risks
Conducting a risk assessment – a basic security step – can play an important role in winning senior leadership support for security investments, says Phil Curran, CISO at Cooper University Health Care. That’s the strategy he used to win support for the purchase of a security information and event management system, or SIEM.
“Our business leaders understand risk,” he says. “On a daily basis they make decisions based on financial risk and marketplace risk. They have a hard time understanding information risk until you put it into a risk assessment format. Based on that risk assessment, they provided us with that capital investment – they understood what the risks were.”
Cybersecurity leaders should look at which enterprise risks could materially affect the company, says Malcolm Harkins, chief information security and privacy officer at Intel. “Start looking at enterprise risks and see which of them might be triggered by a cyber-event,” he says.
Speare at Regions says organizations need to put breach prevention into the context of the business view of the organization. “As any investment you recommend is to mitigate a risk, you must quantify the risk in terms of probability and financial impact,” he says. “Once you have built the business case of the cost of risk mitigation, then you can layer in reputational, regulatory and legal risk.”
The use of “scare tactics,” or “crying wolf,” in front of the board is inappropriate, Speare says. “Be a professional and approach in a logical, thoughtful way.”
The growing number of breaches has shifted the focus of cybersecurity to being a business problem, not a technology one, Speare says. “While [executives] may not understand the bits and bytes of the threat, they are understanding that the risks are significant and real and are willing to make the investments to protect their institutions and the customers they serve.”
Another key to obtaining buy-in for breach prevention initiatives is building executive and board awareness of broader data security issues, says Erik Avakian, chief information security officer for the state of Pennsylvania.
“It can’t be a ‘once-and-done’ thing,” he says. “You need to get in front of your C-level staff regularly, and across all levels of the organization, to stress the importance of cybersecurity preparedness and best practices for users.”
Ongoing security awareness training is also important to changing the organization’s culture to be more security-conscious, Avakian says. “Such a culture shift will lead to changes in how the organization views cyber, the breach prevention costs and support for funding initiatives involving breach prevention,” he says.
Harkins meets annually with the Intel board to raise their awareness of enterprise risk issues. “One of the [recent risks] I raised was related to industrial control systems, as the threats and vulnerabilities towards ICS were growing,” he says. “I let them know what our plans were to begin to invest in front of that risk.”
In his next meeting with the board, Harkins will give an update, “telling them the progress we’ve made and any issues or challenges we’ve encountered.”