Digital infrastructure is far-reaching, and employees have access to more tools and power than ever before. The days when cybersecurity could be handed off to the IT department and only brought up at an occasional board meeting are far behind us. For businesses to effectively protect their systems and data, cybersecurity needs to be organization-wide.
The enterprise now faces a more dangerous cyber landscape than ever. That’s not going to change. If anything, the danger will only grow worse.
Hackers are becoming more sophisticated, with the market for cybercrime ramping up well into the trillions. State actors equipped with huge budgets and advanced technology now target businesses with increasing frequency. And the increased power and agency afforded to the end user means that insider threats are a constant, devastating risk.
All this is happening in tandem with the development and proliferation of the Internet of Things. Connected devices are becoming more prevalent in both our personal and professional lives – and though they’re highly convenient, they represent a massive (and often unsecured) threat landscape. And it’s one that many organizations are ill-equipped to deal with, given that 69% of companies are saddled with security solutions that are both outdated and inadequate.
Amidst all this chaos, organizations need to take a step back and understand that technology alone is not enough – it’s simply the foundation of your security posture. You can have the highest-end firewall on the market, but that doesn’t matter if someone simply targets your supply chain. You can have an advanced, automated threat detection system, but that will be for naught if someone falls for a simple phishing email.
Dealing with the challenges above requires more than some shiny new infrastructure. It requires a cultural shift – requires that people within the organization start caring more about their distinctive role in keeping their business safe. Like every such shift, this has to start at the top.
With your executive team – something that’s much easier said than done.
“It’s absolutely crazy,” an anonymous former Fortune 500 CISO explained in an interview with CSO Online. “Every time there would be a major breach, I’d write up lessons learned, and it would just fall on deaf ears. I couldn’t make the message stick.”
The issue is that many in the C-Suite likely still view cybersecurity as an unprofitable (if unfortunately necessary) investment. Your first step is to change that perception . To secure enough of a budget increase that you can put better, more effective security solutions in place.
But where do you even start?
First thing’s first, you’re going to have to do some homework. Look at how other organizations within your industry have implemented cybersecurity infrastructure, and examine their cybersecurity awareness programs. From this research, you can compile a list of best practices and recommendations that you can use in the presentation you’ll give your board (which we’ll talk more about in just a moment).
According to CSO contributor Scott Schlimmer, the next step from there is to start speaking their language. Pare down your statements so you present them with only the key points, and avoid getting too technical with your explanations. Keep things short, sweet, and specific. The more concise you can make your points, the better.
Additionally, you may want to treat your conversations with them more as sales pitches and less as technical presentations. Provide your board with real, tangible metrics that they can use to justify a return on investment, and make sure they’re laid out in a format that’s both simple and impactful. You can draw on some of the principles of user interface design to help you out with that – carefully space distinctive objects in your presentation apart from one another, and organize it so that you aren’t forcing people to focus on too many things at once.
Finally, make sure your presentation can be understood without you being present to explain it. There’s a good chance you won’t be around when the board actually rules on your request. If they can’t understand half of what you brought them, your message isn’t going to get through.
One alternative route I’ve seen taken by a lot of IT professionals is to focus on data breaches and cyberattacks in the media. To use them as case studies that hammer down the importance of a strong security posture. While that can certainly be useful on occasion, I’d avoid taking things too far – it may sound pessimistic, but cyber incidents now happen with such frequency that they’re starting to become little more than white noise.
What you can do, however, is bring in a third-party expert. Subject your organization to a security audit of some kind. As noted by Schlimmer, one of the best ways to get management to believe what you tell them is for their business to fail a security audit. Workplace drills that show execs the vulnerabilities within their organization in a real, tangible form are also of value, and many firms provide this service.
Perhaps the most important advice I can give you is that you need to be prepared to encounter resistance to your ideas. There will be people who don’t believe you, and people who outright shut you down. Focus on the people who are actually paying attention – they’re the ones whose minds you can actually change, and the others will likely come around once their peers do.
The face of IT has irrevocably changed. Businesses must now embrace cybersecurity wholeheartedly if they’re to remain truly secure. The first step in ensuring yours does is to get leadership on-board – though that’s easier said than done, I’ve faith that, with the knowledge above, you’re more than prepared to do just that.