Cyber security has a visibility problem. Outside of the context of a breach, the Board is likely to only pay attention to cyber when complaining about costs.
Cyber security leadership is defined by your ability to explain the value of cyber and gain the support necessary to prevent a breach from occurring in the first place.
Without Board support, the most likely outcomes are:
- Increased risk and likelihood of a breach.
- Missed opportunities to adopt digital strategies or improve business outcomes.
In the current risk landscape — dominated by remote working and increased remote access of critical business applications and data — getting security right has never been more important. Mitigating risk and flexibly taking advantage of new opportunities are both critical to building sustainable foundations within the new normal.
How you frame cyber security has a big impact on how you are perceived as a leader, how cyber is perceived within your organisation, and how effective your security system will be. You need funding, but you also need broad organisational support — remember, it’s not just about technology, but also people and processes.
Luckily, the answer is relatively simple, even if the specifics are more complicated. You need to focus on the opportunities created by cyber, and the opportunity cost of inaction — not simply the direct cost of action. At Six Degrees, we’ve spent decades helping cyber security professionals overcome this central challenge of perception and effectively orientate their organisation around cyber. Let’s explain this in more detail.
Suggested reading: If you have an upcoming board presentation (before or after a breach), check out our free downloadable resource — Board Presentation Toolkit: Cyber Security and Threat Management.
Step 1: Stress the opportunity (not cost) of cyber security
If there is a central point, it’s this: you want to re-frame cyber security as an enabler of commercially-focused outcomes, rather than focusing on the risks of failure or what cyber security costs. You want to put the things that effective cyber security will enable you to do front and centre in order to focus business leaders on the positive business outcomes that they care about.
A big part of what contributes to cyber security’s visibility problem is the fact that it’s hard to benchmark what cyber investments actually deliver. Focusing on outcomes and opportunities creates that benchmark and transforms cyber from a cost-centre into an investment opportunity that delivers measurable ROI — three of the Board’s favourite letters.
Pro tip: There is some utility in taking the opposite framing — the potential cost of failure. For example, an IBM study found that the average total cost of a single breach is around $3.86M (~£2.9M). If you want to spend £500k to prevent this breach, that seems like a good deal. But the problem here is the possibility that the breach never occurs. Positive benefits of investment are far more concrete — and far more positive.
What this looks like in action
Your business might have been mulling over the idea of a customer support portal for years. Self-service options can bring immense savings to customer service operations, and potentially create a competitive advantage able to substantially grow your business.
You can look at a project like this as a problem, something that presents a whole host of security-related challenges. From this perspective, you also become a problem — holding up the project and simply peppering stakeholders with objections and demands for additional funding.
What you should do instead is look at the project like an opportunity. Identify what you need to deliver a secure outcome and compare that against the cost-savings delivered by the project. A £5M investment over the next five years looks a lot smaller in the context of £25M in cost savings and £15M in growth over the same period.
Pro tip: Don’t forget to think about how investments for one project will enable different projects, and make sure to include those opportunities whenever overlap occurs.
Step 2: Create evangelists across your organisation
Looking at the opportunities and outcomes delivered by cyber not only lets you create an ROI benchmark for investment, it makes cyber security a lot more popular across your organisation. But this doesn’t need to be a reactive strategy — it’s something you can go out of your way to foster.
Rather than waiting for projects to come your way, think about the cyber security investments you want to make, and then think about how those investments will enable other functions within your business. By sharing these ideas with leaders across your organisation, some of them will become evangelists willing to help you secure the support you need to help them.
What this looks like in action
For a lot of organisations, remote working has been the big challenge of 2020. You may have adopted a range of ad hoc policies to provide semi-secure remote access to the critical applications and data required to keep operations running.
A strategy that we’ve helped a number of businesses execute in response to the remote working shift is endpoint security partnered with Managed Detection and Response. This creates a far more flexible and robust system — specifically within a BYOD (Bring Your Own Device) and remote working context.
Think about the teams within your organisation that want BYOD, need greater flexibility to engage with outside contractors, or simply want to provide simple remote access. Go to these leaders and explain what you want to do and how it will benefit them — and then watch them do the heavy lifting with the Board for you.
Step 3: Use cyber security risk assessments to your advantage
The cyber security risk assessment is a critical tool at your disposal for planning and communication. This is because it pulls together the problems, solutions and opportunities created by cyber in a single document.
Risk assessments also create an opportunity to review your appetite for risk. As you know, cyber security is not about guarantees, it’s about weighing up costs. Traditionally, that means the cost of failure vs the cost of mitigation. We would suggest adding opportunity cost to this as well — what inaction will prevent you from achieving. However, in all cases, there is a trade-off.
Your organisation’s appetite for risk references the risks that are deemed acceptable vs those that are not. The reason that this is worth focusing on is that it shifts the need for investment away from you and on to your organisation’s general stance on risk — which is a Board-level decision. Risk assessments also create opportunities to present findings to the Board. Together, this presents an opportunity to bring the Board directly into the conversation in a positive way.
What this looks like in action
When presenting to the Board, make sure that you are clear and concise. Be ready for questions and make sure to frame everything within the context of the opportunities it creates. However, when you need to discuss the reasons for investment, always put this within the context of your organisation’s stated stance on risk.
For example, rather than simply stating that an investment is necessary, you can state that it’s necessary in order to deliver the project within the risk parameters that you’ve been provided. This is a small distinction, but it’s one that centres the conversion on strategic decisions that the Board cares about. Even if they don’t truly understand the nature of the risks posed, they are invested in a conversation about risk more generally. You can use this to engage and make the Board feel like they have agency within the conversation.
Suggested reading: Five Cyber Security Questions Any CISO Should Be Able to Answer in 2021.
Step 4: Always look to do more with less
Sometimes better cyber security isn’t about spending more money (or securing additional funding) — it’s just about a strategy shift that makes you more efficient. This is helpful because it lets you come to the Board with good news: that you want to spend less money.
However, cutting your own budget isn’t the only component of this. Sometimes, the reason for investment is long-term cost savings. Similarly to how you should always be looking for ways that investment delivers financial opportunities across the wider organisation, look for ways that it will save you money within cyber.
What this looks like in action
More robust security systems generally require less testing. So, for example, investment in a multifactor authentication (MFA) system will have upfront costs, but might bring long-term savings through reduced penetration testing and simpler management.
There are also just ways to deliver a more efficient overall outcome. One thing we work with a lot of clients to deliver is managed detection and response (MDR) services. As an MDR provider, we can generally deliver a better outcome at a lower cost than our clients could provide in-house. This is because it takes far fewer resources to monitor a system than respond to an incident. In-house teams need these resources on hand at all times; we can provide them on-demand.
Suggested reading: Four Ways Strategic Partnerships Improve Cyber Security
Change happens one step at a time
You aren’t going to transform your Board’s opinion of cyber security overnight. Our suggestion is really a simple one, but it’s also one that is most effective over time. Change how you think about cyber security and reflect that transition in how you communicate the value of investment.
Rather than focusing on problems and cost, focus on opportunities and growth. Every interaction you have across your organisation is an important one. Think about how it reflects on the priorities of effective cyber security and change your actions accordingly. Over time, this can change how your entire organisation perceives and engages with cyber security. The reality is that this engagement actually makes it easier to do more with less. Get in touch if you want help mapping this strategy onto the specifics of your organisation — we’d be happy to help.