To say cyber security should be a top priority for any modern business feels as though it should be entirely uncontroversial in today’s climate. Between high-profile breaches, the risks opened up by our new ways of working and the well-established risk to reputation, finances and the general operation of your company, surely every organisation will be prioritising security as part of their IT investment?
Getting board-level buy-in for security strategy
Why cyber security needs to be a board-level issue
The reality, however, does not always match up to this ideal. Security professionals still often have to work hard to improve security through tools, training and other techniques – and are met as often as not with indifference or hostility. Even where the board is concerned, while they might understand the need for bolstering security, securing the money, resources and support to make that happen is not always easy.
Having the board on-side when it comes to cyber security is key. They are the people who set strategy for the whole organisation; they can enforce security policy in a way that team leaders cannot, as well as ensuring the business operates a uniform security system that meets its needs.
On top of this, the business as a whole looks to them for leadership. If the people at the top are understood to be fully embracing security and the measures it takes to keep the company safe, it’s likely to help diffuse opposition throughout the ranks.
Speaking the right language
Of course, you can’t rely on the board having an in-depth understanding of IT and security issues. Some may have a grounding in the technical issues at hand. But you need to speak to them in a language that everyone can grasp, and one that communicates the importance of investing in your cyber security strategy.
One key is striking a balance between what the board needs to know and what it doesn’t. It’s worth making sure they can understand key concepts like zero trust and two-factor authentication, as these tie directly into how security operates in the business on a practical level. You can, however, stop before getting into the nuts and bolts of Trusted Platform Module (TPM) technology or sandboxing – in other words, concepts that are likely to confuse them rather than get them on board.
You also need to dispel some of the enduring myths surrounding cyber security – and particularly the criminals that perpetrate it. The stereotype of the faceless, hoodie-wearing villain can muddy the issue. This conception of the lone-wolf hacker can obscure the fact that cyber crime is a big, well-organised business, and that, in this environment, any organisation can become a target.
Your goal is to give the board a clear understanding of the level of risk involved, the potential cost of failing to address these risks, and a clear roadmap of how you intend to build your security systems to prevent these breaches from happening. The case is a strong one – it’s your job to communicate it. With the board’s backing, it will be much easier to access the technology you need and to roll it out successfully across your company.
To learn more about making your case for cyber security investment, and what to do once you have, read our co-branded IT Pro/Intercity report, ‘Getting board-level buy-in for security strategy’
