It’s shocking to those of us who work in the industry, but people still do not take cybersecurity seriously. How many people do you work with who still use “abc1234!” as a password? Or say things like “I haven’t updated my phone’s OS in months?”
Many think of cybersecurity like a home defense system. You push a button, and the house (your organization) is secure. That’s not the case.
Imagine if, in the above scenario, someone left a window open. Even though you armed the security system, your home isn’t secure due to the action of someone else.
Cybersecurity is much more team-oriented than people realize. As security professionals, we need every member of an organization on board—from executives to contractors to maintenance staff— if a program is going to succeed. As security professionals, we need to know the best way to communicate the importance of what we do to high-level decision makers.
Success starts at the top
Executive sponsorship in a security program drives participation from key players, who will in turn drive success. While the CEO, CIO or CISO are good places to start, don’t neglect department leaders in human resources, training or corporate communications.
Everyone needs to be on board for a successful security program to thrive. It’s important for security to be in every organization’s DNA and a good place to start is the top. If the executive team is not board, not everyone is on board and may never be.
Show, don’t tell
It’s easy to tell someone “Did you read about that crazy breach at SOME RETAILER?” But in order to express the importance of good cybersecurity practices, you need to show the impact of this.
How many people were affected? What did it cost the business (in dollars and reputation, if possible)? What went wrong? What went right?
Show as much as possible. Don’t tell a board member or stakeholder what went wrong. Show the facts and let them do the talking. It’ll make things easier on you and it will have a much stronger impact.
The easiest way to show your security program is working (or will work) is to have and review plans. Incident response, training, crisis communications—these are just some aspects of a solid cybersecurity program that demand proper plans be in place.
Simply having a training program, but not updating it often, is not enough. Maybe you have a crisis communication plan in place, but what about when a high-level communication leader is on vacation? Successful plans have back-ups.
By having, updating and communicating plans, you demonstrate value to your board and other decision-makers in your organization. Beyond that, proper planning demonstrates to those outside your organization that you know what you are doing.
Use the bottom line
Breaches are expensive. But how expensive? Does everyone in the room know how expensive? What about non-monetary costs?
Nothing speaks louder than dollars. It’s relatively easy to determine how much a breach costs. That is a powerful fact. But if you can estimate “reputation damage” or what a breach may cost you in the court of public opinion? Now you have people really listening.
The bottom line is this: the bottom line is your friend. If you can show how cybersecurity impacts overarching business health, people will be much more willing to listen.