Getting Leadership to See Things ‘IT’s Way’
As the old saying goes, it takes a village to raise a child. In the case of modern business, it takes the whole organization to effectively grow an organization and keep it safe. Even in the days when people lived in villages, it was up to the chiefs to make good decisions and protect the tribe from outsider threats. In today’s enterprise, the same notion rings true more or less: Corporate America’s chiefs are facing down malicious code and hackers instead of claws and clubs.
Today’s corporate leaders have much more to worry about than hunting and foraging. The higher-ups in your organization have to answer to a board of directors and shareholders on any number of items including annual revenue, product development and business expansion. On a macro level, corporate leaders want to do right by the business they’re heading, but IT security likely won’t be top of mind for the majority of them.
The good news is that according to a survey from consulting firm Deloitte & Touche, more executives are seeing cyber risk as a business issue rather than strictly an IT problem. One vice chairman at the practice says that corporate executives “increasingly regard cyber risk as part of the broader conversation about business risk” and that “they’re starting to seek a broader approach to cyber security than they’ve used in the past.”
The survey’s findings produced some insightful tidbits concerning the information security climate of some of America’s largest corporations. For example, about two-thirds of the survey respondents said they are actively reviewing the National Institute of Standard and Technology (NIST) cybersecurity framework. About 21 percent of that pool are either already using it or have plans to do so.
On the other hand, 71 percent of respondents highlight a lack of funding as their biggest barrier to an effective cybersecurity program. That high percentage suggests that decision makers fail to see the financial justification for increasing investment in that area, says Kiran Mantha, an advisory principal for Deloitte’s cyber risk services practice. The issue of executive visibility could play into this as well; just 37 percent of respondents said their organization submits quarterly reports on cybersecurity to their board and 44 percent say no cyber risk information makes it to stakeholders at all.
As the modern enterprise focus shifts more toward the security of digital assets, there are actions information security professionals can take to make executive leadership care about cyber risk:
Turn the Digital into Visual. By hosting cyber risk heat-mapping exercises with threat intelligence experts, you can literally ‘spell it out’ for senior leadership. Events like this can help highlight the most prominent cyber risks and reinforce the need to take cyber threats more seriously. Also, demonstrating cyber threats visually allows you to break the barrier between tech-speak and boardroom lingo.
Define Risk KPIs. When making a business case, key performance indicators (KPIs) must be used to make collected information meaningful. While discussing cyber risk with executives, security professionals must stress the most serious risks facing the business, risk indicators that signal the company’s exposure to them and the methods the company is using to keep those risks within acceptable limits. Since defining KPIs provides information security personnel and executive staff a common language to work with, “they also help executives make decisions about funding, priorities, and investment, while improving accountability for and alignment of the cyber risk program,” says Mantha.
Create a Mock Cyber Incident. Simulating a real crisis is one of the best ways to demonstrate the resources and process needed to defend against a real one. These simulations help senior leadership recognize that cyber incidents are not a problem exclusive to IT, but require actions from the CEO, CRO, legal counsel and PR professionals as well. Cyber security drills also expose blind spots and weaknesses in an organization’s response to an incident and help executives see the hard business impact of a breach in real-time. Emily Mossburg, an advisory principal lead for Deloitte’s Cyber Risk Services, says that “due to their realism, simulations often create an emotional hook that motivates participants to be more engaged in an ongoing cyber risk program.”
Using these three methods should prevent a hat-in-hand approach to IT budgeting and ensure that your organization’s chiefs see the writing on the wall of the cave.
Learn about how your organization can be prepared for unexpected disruption to your business activities by looking at five common mistakes.
Learn how the government shutdown affected business and the countermeasures needed to address the risk to remedy the situation.
Let’s continue helping the millions impacted by Hurricanes Harvey and Irma. Let’s also help business prepare for the next disaster with better BC/DR plans.