The job of an CISO can be one of the most stressful when it comes to cybersecurity. It can sometimes feel like an avalanche of responsibilities, all with the goal of keeping an organization safe.
More often than not, the problem comes down to the issue of securing funding for a new technology that can make the job easier. In reality, CISOs cannot always obtain the necessary management buy-in to receive this funding. The security posture of their organization suffers as a result.
To help CISOs who find themselves in this position, we asked a panel of experts to comment on the following question: What are the ways to get buy-in for cybersecurity projects?
Maurice Uenuma | LinkedIn
I think we’ve all learned by now that it’s nearly impossible to accurately quantify return on investment (ROI) in any sort of security initiative. Safety is inherently a process of dealing with the unknown. So, it’s still difficult. There are of course ways to measure the financial impact of violations, such as the average cost of a violation to a business or the financial impact per stolen recording. This data is available, but at the end of the day it’s a matter of each organization looking at its own place in the world and understanding what it can tolerate and what it cannot. It’s risk management. Mitigate the risk, transfer it, share it, etc. This will lead a good part of the discussion.
Understanding the identity and purpose of the organization and being able to talk about it is an important part of managing risk. For example, for banking and financial services, the integrity of financial transactions is of critical importance. For owners / operators of critical infrastructure, the reliability of control systems to support life and physical integrity is very important. In the automotive industry, safety is important. The ability to tie a safety investment message to this, recognizing that we cannot quantify it perfectly, is an important skill.
It’s a billion dollar question. We focus so much on technology, but we don’t realize that the people who have to fund or approve this technology don’t necessarily understand what you are doing. Having someone who can talk about the technology and relate it to the information a stakeholder needs to know is the most effective method of doing this. We always say, âCommunication is keyâ and âWe always communicate. But are we communicating effectively?
I would definitely invest in someone who is a trained professional and make sure your pitch is correct so that another person can understand what is being asked. Then you can focus on developing a great relationship with them so they know you can trust each other. When people love and respect each other, they are more likely to sit down and seek a solution to a problem.
I think there are several ways to do this. It’s going from macro to micro. I often tell people to first identify the business benefits of implementing cybersecurity. What is this return on effort and investment? Not just to the CISO, but to everyone around the Council table. So, when you are working within an organization, it is important that you get to know the C-suite. Each person in that room will have a business diary, a business diary, but they will also have a personal diary. What are their benchmarks? What are the benchmarks for the human resources manager? Also, what is their experience with information security? He or she may have had a real problem with the previous person while implementing information security programs.
Therefore, as soon as you start talking about information security, it might not be you or the subject that turns them off. What you may actually be feeling is something that may have triggered something in them from a previous unpleasant experience. We must therefore take the time to get to know them, their professional and personal objectives. When we talk about getting board buy-in, we often talk about how we can cut costs or how we can make it a business differentiator. Perhaps it would be best to speak on a personal level to engage them. It could be telling them, “If you have kids, that means you won’t be bullied on the weekends.” When we have an outage, you won’t have to jump on an emergency call to deal with that customer issue because we’ve had a cyber attack. Just being able to speak on a personal as well as a corporate level is something that I often miss. It is a missed opportunity.
It is certainly a difficult area. I know a lot of people struggle with this. I am fortunate to work with many different boards of directors in organizations. What I find that works is first to consider the language you use to speak at the board level. It will of course be very different from how you speak at the technical level and also different from how you speak at the more general level of the workforce. What you focus on at the board level is what matters most to them, which is often money. You talk about finances. You talk about reputational impact. It’s about helping board members or senior managers understand the impact. I often see people who might have a more technical cybersecurity focus wanting to talk about technical issues, but from a leadership perspective, they need to know the impact. They aren’t that much interested in what the vulnerability does or anything like that. They are interested in how this might affect their organization.
I also find that storytelling works well with any audience you communicate with. It’s about choosing the right stories. Often, board-level thinking is about peer organizations and how they stack up against their peers. How to reference? So being able to build on that and use whatever is in the public domain that has happened to similar organizations helps bring it to life. Also use incidents within the organization and metrics around topics of interest to the board. People have a lot of metrics on the technical side, and it’s also okay that the metrics aren’t perfect when it comes to the human side. Some people think too quickly that you can’t put metrics on the human side of security because they won’t be entirely accurate. Well, no measurement is totally accurate, but once you start with data, you can refine it, you can improve it, and that gives you something. You can then talk to the leaders about it. They can then follow that. So if you’re looking for a bigger budget or looking to show off the impact of what you’ve done, the metrics will speak volumes with that audience.
I presented a conference this year called Security measures that matter because I am obsessed with collecting metrics and data. When I launched my first application security program, I literally took all the results of our security incidents from the previous three months and noticed that 26% were caused by insecure software. But we didn’t have an application security program. The developers had no support, no guidance, and no advice. I explained to them that I could use the time left on my consulting contract to fix the problem and that it would actually cost less than what the incidents were costing us.
I didn’t need to buy any tools as I picked out a bunch of free tools that we started out with. When they saw that all the incidents could have easily prevented all these incidents, the three executives to whom I was explaining this immediately gave me the approval to start this project. There’s all kinds of research on how the later you fix a bug, the more it costs. So if you realize during the design phase that there is a design flaw from a security perspective, you can correct it afterwards rather than correcting it afterwards. There is an exponential cost difference in fixing something in the design rather than fixing it later.
Communication: the key to guarantee membership
Security has often been seen as a cost center in most organizations. Recent historical violations have changed this perception, showing that the cost is often outweighed by the benefits of risk avoidance and post-violation remediation. However, this does not mean that the board of directors is handing out bags of money without any justification. What our experts are demonstrating is that effective and meaningful communication remains the most valuable method of gaining buy-in for security products. It’s more than just “speaking the language of the business” that matters. It’s about having those conversations with more depth of personal and organizational insight.