Cybersecurity for Executives: How to Talk to Leaders About the Importance of Risk Management
The red lights are flashing everywhere. News stories are warning about a sharp rise in ransomware attacks, a 2000X fold increase in cybersecurity breaches, and more cyber-related doomsday scenarios. Meanwhile, the Biden Administration released a much-anticipated cybersecurity plan earlier this year, calling for more investments in cybersecurity.
With new threats circling and the president’s call for additional cybersecurity resources, one would think that cybersecurity funding has increased across the board. Think again. According to McKinsey, more than 70% of CISOs and security buyers anticipated their budgets shrinking last year -- and this is during the pandemic.
Clearly, many executives still do not understand the importance of cyber risk management. It’s almost as if we need a “cybersecurity for executives” 101 course. In absence of that, let’s talk about why it’s still so difficult for some C-level executives to embrace the need for a better cybersecurity posture.
Misunderstanding how cybersecurity impacts performance
One possible explanation is that, in light of the recent difficult economic environment, corporate executives and board members are closely examining their organizations’ finances. As such, they’re likely to make cuts in areas that don’t appear to directly affect revenue. On the surface, it may appear to them that cybersecurity doesn’t directly correlate with a company’s bottom line.
Of course, that’s not true. Just ask organizations like Capital One, which had to pay $80 million to settle claims related to its cybersecurity breach. In addition to being costly, cyberattacks can cause irreparable damage to a company’s reputation.
But unless it’s explained in terms they understand or care about, it’s often hard for senior executives to directly tie risk into corporate performance. They don’t want to hear about how many potential intrusions a firewall prevented over the past six months, for instance. They want to know, how would those intrusions have impacted the business if successful? How much data would we have lost? And how does that translate into company performance and loss of revenue?
Speaking the C-suite’s language
To get through to the C-suite, you need to start speaking their language. Stop talking about the technical aspects of your security apparatus. Start translating how well prepared (or not) your organization is to defend itself against the next possible attack in terms executives can understand, and quantify your conclusions in easily digestible metrics.
One way to do this is by conveying risk levels in terms of something that every executive can relate to: a number. The lower the number, the more improvements you need. The higher the number, the better you’re doing, and the less financial and reputational risk the company is likely to endure in the event of a breach.
Security ratings deliver this type of information in a clear and straightforward manner. A rating of 250 -- the lowest on the scale -- indicates a high level of risk, whereas a rating of 900 -- the highest potential rating -- signifies a well-fortified organization. Showing an executive the 250 rating, along with some context about what that could mean for liabilities and financial losses, is bound to make even the most cost-cutting executive think twice about reducing their company’s cybersecurity budget.
Expert Panel: What Does The Board Want From Your Next Cybersecurity Report?
Gaining a competitive advantage
In fact, security ratings are more likely to give you the support you need to increase your funding. That’s because they can be used to benchmark your organization’s security posture against that of your competitors.
Having a strong cybersecurity posture can set your company apart from the others in your industry. Customers and third-party suppliers are more likely to want to do business with you. Insurers are more likely to underwrite you.
Plus, benchmarking your organization’s security performance against the rest of the marketplace can illuminate your company’s strengths and weaknesses. You can then make a case for prioritizing cybersecurity funding, not only to improve your own cybersecurity posture, but to keep pace and hopefully exceed that of your peers. You can then apply that additional funding to specific areas of need uncovered in your benchmarking analysis.
Cybersecurity for executives doesn’t have to be complicated
At the end of the day, getting senior executives and board members to put a high priority on cybersecurity doesn’t have to be complicated. It just needs to be put in language that will resonate with their priorities. Understandably, those priorities center around how to protect their business from a financial and reputational standpoint. Increasingly, that means protecting it from cybersecurity incidents, too.