Securing buy-in for cybersecurity projects in business requires a fine balance. If the rest of the C-suite believes the company is already secure, the CISO may struggle to get a budget for projects. Simultaneously, getting funding for preventative measures can be difficult to communicate.
At the ISC2 Security Congress held in Las Vegas from Oct. 12-16, Safe-U founder and CEO Jorge Litvin shared strategies for framing security discussions in ways that resonate with executives.
Without effective communication between the CISO and the rest of the C-suite, the entire business could face negative consequences.
The key to gaining support for cybersecurity efforts is to explain these risks in business terms, Litvin said. Failing to do so can result in poorly allocated resources, a lack of respect for the CISO, and decreased team morale due to insufficient resources. Additionally, budget allocations are less likely to meet the cybersecurity team’s needs.
“Their expectations are unreal to what we can really do with what we have, and what we have is what they give us,” said Litvin.
To fix this, cybersecurity professionals should speak in the executives’ language.
“We should always remember that our main goal is not to protect everything,” said Litvin. “What are the core business functions that we have to protect? Focus our request on that.”
Business impacts can be on operations, finances, compliance, or reputation. For example, threat actors faking business accounts or committing fraud in companies’ names can negatively affect the company’s reputation.
SEE: Generative AI projects in the UK tend to be stuck in the planning stage, with data governance being a major blocker.
Speaking the C-suite’s language involves:
“Try to convey how your project is a business enabler or enhancer,” Litvin said.
For example, the cybersecurity team may want to implement a SaaS solution to support its staff. In that case, the cybersecurity leader could pitch the solution to the C-suite as a way to support the business’ planned expansion in Europe. After all, the solution will demonstrate the company is training on data protection — a factor in GDPR compliance.
The C-suite may want to see if the cybersecurity decision-maker has considered all alternatives before presenting a project or service. Show the C-suite different paths and reveal the option you support. Specifically, the messaging should clearly demonstrate that the option being presented is the best choice for the business, not a personal preference.
Getting buy-in also requires some interdepartmental communication. Effective communication with the C-suite means talking about money in concrete terms.
Don’t know the expected ROI for a cybersecurity project? “We can go to the finance areas [of the business] or a consultancy and say ‘help me do the math to present this,’” Litvin explained. “Help me understand if this is logical or feasible or if there is a better way.”
Compare the project’s financial impact using both absolute and relative numbers, making comparisons to the current state and potential gains.
Cybersecurity leaders can present their project to other members of the board before a meeting with the CEO. Doing so will help convey how the project affects different areas and teams. Ask for their opinion, with questions such as, “How are we going to work together to make this successful?” After these meetings, follow up with them to maintain momentum.
Knowing business frameworks — such as the Business Model Canvas — can help cybersecurity professionals identify the most important points to hit in a meeting with executives, too.
“Ask yourself what they will probably ask you,” Litvin said.
Lastly, encourage executives to get involved with the cybersecurity efforts the business already has in place. They can lead by example by participating in Cybersecurity Awareness Month exercises. Ensure managers allow employees to watch cybersecurity training videos instead of simply ordering them to “get back to work,” Litvin said. In the end, aligning the cybersecurity team with larger business goals can only benefit the business. It’s just a matter of finding the right words.
Disclaimer: ISC2 paid for my airfare, accommodations, and some meals for the ISC2 Security Congres event held Oct. 13 – 16 in Las Vegas.