Making the Business Case for Cyber Security: How to Make the Senior Management Buy-in?
The board room at any conglomerate or startup transforms into a ‘Thought Chamber’, the moment CISOs and their associates try to make a business case for Cyber Security. The session debates on which technology to buy, and what processes to bring in. While the CISO team tries to make a strong case, one of the board members, with an incongruity neck-stroke points out the already invested amount on security measures, and how he sees no ROI. Within a space of half-dozen coffee cup refills, talks levitate to the CISO team penciling in Pie charts, showing ROIs and CBAs of various security controls and how the organization’s crown jewels actually depends so much on these measures. Like any unending process, such scenes are played numerous times in an organization’s boardroom but still the top management remains tentative, Cyber Security is still looked upon as an added cost by the senior management today.
This makes the job of a CISO difficult to sell Cyber Security. Tough economic conditions make this job even more difficult as security initiatives and budgets are among the first to suffer cutbacks or be cancelled altogether. A common reason behind this “bolt from the blue” decision is the management’s belief that security projects emanate flimsy ROI. Fact of the matter is, when choosing between a platter of security measures (will happen) and a potential cybersecurity incident (may happen), the senior management takes the chance that an incident will not happen. So, how to make the senior executives to buy-in? CBA sheets, ROI graphs, or something else? Let’s discuss.
Senior Management Views of Cyber Security
Before getting into formulating a full-proof plan of wooing the senior management to make a wind-falling response in investing in security measures, CISOs need to understand their views of Cyber Security. With a role of making the expected profits for each quarter, Cyber Security for senior managers is just a “maybe” kind of event. Thus, a risk analysis to unearth vulnerabilities, threats, and countermeasures, etc. may not be just sufficient to convince a senior manager to accept large allocations of resources. What will cause the senior management to buy-in is cost-justification or return-on-investment (ROI) figures for the set of security tools to be employed. Furthermore, senior executives often fail to realize their responsibility of information protection adequacy; or are unwilling to take the necessary steps to meet this responsibility. To win support for information security spending, IT security professionals need to explain in clear and simple business terms to senior executives the risks present in their organizations. But how to do it?
Making the Business Case for Cyber Security
While entering a boardroom, CISOs and their fellow associates must be clear about what to pitch and how to pitch in front of the senior management. They must remember that the moment they utter an unconvincing point about a security measure, it will be converted into a puff of smoke. CISOs must be clear about the scope, crown jewels, risk appetite, and former investments on security measures of the organization. Also, a set of handy data must be in place to notify the management about the profit that would be generated. Following points can help CISOs make a strong business case for Cyber Security.
- Know your audience
A CISO’s audience is typically going to be a group of business executives with titles such as Chief Executive Officer (CEO), President, Chief Financial Officer (CFO), Chief Operating Officer (COO), Chief Information Officer (CIO), and Chief Marketing Officer (CMO). Thus, it is essential for CISOs to remain concise and poised while describing the perils of threats, associated risks, and how to mitigate them. Unfamiliar and overly technical jargons must be avoided. The situation in hand (cyber breach) must be related to the whole business in a way that senior management can grasp its impact on the business operations and reputation.
- ROIs and CBAs
A cost/benefit analysis chart and a rank-order of the various options of security measures based on the results of the analysis must be presented in front of the management. It should culminate with a rank ordering of funding priorities and requests for cybersecurity activities. CISOs must present a case of security measures, positively impacting the crown jewels and thus forecasting the ROI. A positive ROI will automatically make the top management incline in favor of employing measures of cyber security.
- Lead a Business-back approach
Instead of notifying the senior management about the technological vulnerabilities, start the discussion by informing them about the crown jewels (critical business asset), they must protect. Keep a “business-back” approach by presenting an evaluation to the organization’s cyber risk profile across the full value chain, clarifying expectations with vendors and enhancing collaboration with key business partners.
- Explain the positive roles of Cyber Security
Listing many positive roles that cyber security may play in the organization’s operations can really be worthwhile. CISOs must clarify the management that cyber security measures not only offer information protection but, at the same time, they also confer valuable services such as compliance, resource management, and governance.
- Avoid fear-mongering
Remember the story of the boy who always cried wolf, and how he was forsaken when he was yelling the truth? Don’t be that boy! It is indeed hard to argue the effectiveness of the fear-mongering strategy, but it may back fire on some occasions. An organization in a constant state of fear can generate far too many false positive incidents. This in turn can desensitize users to real threats because the "cry wolf" mentality can take hold.
- Communication holds the key
CISOs must remember that no matter how precisely they prepare for a cyber security business case, the way they communicate holds the key for senior managements to buy-in. CISOs must avoid any techno-babble and acronyms in their presentations. They must always remember the hot buttons of their audience that needs to be addressed. The key for this area is to find a method of practicing the discussion so that CIOs are comfortable with their delivery and gestures.