Getting the board on board with cyber-security: Top tips for making a compelling case for resources to safeguard the enterprise
- 19 July, 2019 13:28
Work for an organisation that’s become concerned about cyber-security? You’re far from alone.
Thanks to a rash of high-profile attacks and incursions, Australian business leaders are woke to the damage digital infiltrators and assailants can wreak on ill-prepared and unfortunate enterprises.
The recent roll call of local victims includes the Australian Catholic University, fashion house Princess Polly, graphic design giant Canva and Australia Post.
But while fear and uncertainty may be on the rise – PwC’s 2018 Global Economic Crime and Fraud Survey: Australian Report revealed that senior executives regarded cyber-crime as the most disruptive crime of the day and the greatest threat to growth – translating it into a rigorous, long-term protection strategy with a budget to match is not always easy to achieve.
Decision makers are prone to viewing the issue as an ICT one – for the ICT team to solve. Typically, they’ll have some general awareness of the threat posed by hackers and cyber-criminals but little knowledge or understanding of the IT assets connected to the company’s network or how monitoring and incident response programs operate.
Just as digital transformation has morphed from technology issue into a critical, whole-of-business concern, cyber-security needs to be reframed as an enterprise-wide problem, which calls for an enterprise-wide approach.
Here are some ways for IT professionals to make the case.
Show them the money (they stand to lose)
A successful cyber-attack can be more than a mere irritant. If critical systems are affected and operations disrupted, it can be seriously expensive, with a damages bill that comes in far higher than that which a rigorous protection program would have attracted.
Consider the case of publicly listed valuation house LandMark White, which put its losses at $7 million after a breach of its valuation platform in early 2019 resulted in the compromise of almost 140,000 records.
The tightening of Australia’s privacy legislation in February 2018 means substantial fines can be added to the tab – up to $1.8 million for companies which experience serious and significant data breaches and fail to remediate them appropriately.
For many organisations, these are not small sums. They can have a material effect on profitability and the bottom line and that’s not an ICT concern: it’s a matter for the board.
Explaining the risk of inaction in this financial context is likely to make your call to action significantly more compelling.
Share the status quo
Outlining the status quo in a way that’s easily grasped by the lay person will add additional weight to your argument. It’s unlikely the C Suite will want to be bound up in jargon or acronyms. What they will want to see is a clear picture of the cyber-security measures currently in place within your organisation – and where the holes are.
Yes, there’s a problem – have a plan to solve it
Convincing the board of the need for action is an achievement but it’s not the end of the story. Decision makers are typically solutions-oriented people and, given you’ve raised a problem with them, you’ll get extra kudos – and a credibility boost – if you’ve come armed with a plan for how it should be solved.
The more detailed the better. A plan which outlines exactly the resources required, how much they’ll cost and when they’ll be deployed lets the board know you’re serious about what you’ve proposed and are up to the challenge of making it happen.
You’ll stand an even better chance of getting the nod if you offer a choice between two or three costed plans, along with your own informed assessment of which is best suited to the organisation’s risk profile and budget.
Defend your position
Even the most amply justified requests for funding are rarely waved through without a murmur. An enterprise-wide cyber-protection strategy is unlikely to be an exception.
Anticipating the questions and objections you’re likely to encounter – financial, logistic and even technical – and having well researched responses will make a positive outcome more likely.
Time to act
In 2019, cyber-attacks represent a real and rising risk to Australian enterprises which don’t have comprehensive strategies in place to mitigate the threat and remediate swiftly, should the worst occur.
Security professionals who are able to prosecute a strong case for strategic investment in an enterprise-wide protection program stand a better chance of getting the board on board – and ensuring their employer doesn’t become one of this year’s cautionary tales.