Recent data breaches at companies like British Airways and Capital One have made it more evident than ever before that cybersecurity leaders must prepare for a staggering amount of potential threats. Credential stuffing, account takeovers, and insider threats are all vectors of attack that could potentially devastate a business. But without the C-suite’s support, it’s impossible for cybersecurity leaders to effectively plan for and defend against these threats.
If the C-suite doesn’t fully understand a security risk, they likely won’t prioritize investing to defend against the potential threat. This, of course, can lead to disastrous consequences, like losing loyal customers, hurting brand reputation, or incurring major fines. The British Airways breach led to a fine of almost $230 million, and that doesn’t include non-tactile losses like a damaged reputation. As a result, it’s up to the security leaders to effectively communicate and position security risks to company leaders and decision-makers.
Here are five tips to help cybersecurity leaders navigate the C-suite:
Make cybersecurity a priority—for everyone
While leaders acknowledge security is a vital part of their organization, they often prioritize other initiatives that provide a more direct return on investment. According to a recent study from Nominet, 90 percent of C-suite members think their organization lacks the proper resources to defend against a cyberattack, and 76 percent of them think a security breach is inevitable. This highlights a disconnect: While C-suite executives acknowledge security is an issue, they’re not doing all they can to protect their organizations.
In another report from Wipro, 72 percent of organizations cited employee negligence and lack of awareness as a top cyber risk. Because of this, cybersecurity leaders need to find ways to relate cybersecurity to all departments of a business. Pushing everyone in the organization—not just the C-suite and IT teams—to think about security through awareness programs and other initiatives is necessary for any organization. When everyone actively thinks about cybersecurity and how it affects the overall well-being of the company, preventative measures will be more effective. Whenever presenting a specific threat, take a minute to explain why all employees across the business, including the C-suite, should care about it. For instance, the CMO will likely be interested to know how a hacked third-party tag on the website could steal customers’ personal information, thus violating user privacy regulations and affecting brand reputation. By working with the C-suite to make the business security efforts a top priority across the company, nobody will be caught off guard in the case of a new threat or a security incident.
Attach cybersecurity needs to business requirements
Cybersecurity leaders often have difficulty quantifying risk into impact, or cash cost, and presenting it in a way that aligns with business goals. For example, a member of the security team might need to explain to the C-suite why an organization should purchase a new encryption service. Instead of only speaking to the importance of encryption and broadly mentioning that it could save the organization money down the road, point out some industry statistics to back it up. A recent IBM study suggests that encryption reduces the cost of a data breach by $360,000 on average—a number that should persuade anyone to consider better encryption. A simple cost-benefit analysis is all that’s needed.
Overall, security leaders should communicate threats in an easily digestible way, but also show how the small initial cost to close a security hole can prevent a more significant cost down the road. According to the same IBM study, the average data breach costs an organization $3.92 million—a crippling setback for any organization. If possible, spell out what a cyber threat could cost the organization, including costs around incident response, potential fines, and lost customers.
Get to the point
The C-suite has a lot of responsibilities. If security teams present them with too much information at once, C-suite executives might overlook critical details. It rests on the cybersecurity leader’s shoulders to provide just enough information to show impact, but not too much to lose their audience. Explain essential details, like the immediacy of an attack or how many people it could affect. Diving into the technical specifics of credential stuffing or email phishing attacks, however, might not be the best strategy to get a CEO’s attention. Leave out extremely technical jargon along with the non-essential graphs and charts […] Read more »…