How to Get Buy-In from Leadership
Security professionals often struggle to convey the importance of security to leadership and to validate new business security initiatives, no matter how important they might be. It can be difficult to instill security principles into larger business models, despite them being crucial in order to reduce the risk of incidents such as data breaches.
So, how do security professionals bring more attention to their projects and get board approval for these critical initiatives? It starts with open communication.
Having a visibility discussion with leadership to explore the risks your organization faces is important, said Astin Thomas, CIO for Sunbelt-Solomon Solutions, at the conference. This is especially true for new CIOs or CISOs, he said.
“If you come in and you’re building the security program, have a third-party organization look at the infrastructure before taking your case to the leadership team,” said Thomas. Many times, leadership won’t pay attention to your assessment unless there is a credible source backing it, which can be hard to prove on one’s own as a newcomer.
Executive leadership team members also care about the impact new security protocols will have on their departments, said Thomas. You must explain how security plays a role in every department and why, he continued, such as the importance of information security in HR or finance. Jeremy Weiss of CDW also suggested that this can be helpful in meeting executive leaders where they are in terms of their level of cybersecurity understanding.
“Taking that step back to sell to the board is important,” says Weiss, a cybersecurity practice lead. “If you’re a smaller business, you might want to introduce them to third-party risk.”
Many executive leaders of smaller businesses believe that hackers are not directly targeting them, Weiss said. They could, however, be after much bigger fish, such as a partner, he noted. The introduction of cloud and mobile pose major liabilities for your organization, which should be shared with leadership. In fact, Weiss shared, 61 percent of breaches now come from a third party.
“No one is a stand-alone entity as a business anymore,” said Weiss. “You rely on your business partners to keep your business up and running.”
Finally, consider consolidating and making use of the security tools the business already has in place. For the majority of security teams weighing new approaches to their architecture, such as zero trust, the tools that already exist within the infrastructure can help them get there. This approach will ultimately make security more efficient for the business, said Weiss, and will lead to departments spending less money, which business leaders always enjoy.