From sensitive emails to customer credit card information, it seems like “hack du jour” is a staple on the nightly news. So why is cybersecurity education such a hard sell to your board of directors?
Convincing your company to pour money into prevention can feel like you’re trying to sell an invisible suit of armour (“I swear, a sword won’t run through it.”). But cybersecurity ROI is exactly that—an investment delivering an end result that can’t be seen. You’re going to need to spin the conversation the right way to get the C-suite to buy in.
Crunch the numbers
Most company cybersecurity ROI decisions come down to balancing acceptable risk for your organization. If your company doesn’t have a big IT budget, it’s your job to put hard data behind your argument, and peer pressure can’t hurt. More than half of cybersecurity professionals anticipate that their organization will suffer an attack within the next 12 months, according to the 2017 Cybersecurity Trends Report by Crowd Research Partners. As a result, 46 percent are boosting their security budget by an average of 21 percent, spending money on additional cloud infrastructure, training and education, and mobile devices.
In a CSO article, author Ilia Kolochenko shares an equation called Annual Loss Expectancy (ALE), calculating the number of incidents per year times the potential loss per incident. If your company does nothing to better its cybersecurity, the result of that equation is what you can expect to lose.
To come up with a figure, start by providing a year’s worth of credit monitoring for affected customers at about $20 per account. Next, factor in potential legal fees, costs to recover and restore data, charges for forensic investigations, and compliance fines. The damage can add up quickly—just one cyber attack on the National Research Council “cost Ottawa hundreds of millions of dollars.”
Protect your rep
If your CEO or board is questioning a large investment in cybersecurity education compared to a potential low-cost loss, it’s time to play the company reputation card. In addition to a financial loss, security breaches impact a company’s brand value. Following a data breach, 33 percent of retail customers said they’d stop shopping at the affected retailer for a minimum of three months, according to Canadian Underwriter, while 19 percent would stop shopping at a retailer completely—even if it fixed the problem. Winning over customer confidence can take months, if not years, especially if your company is small and has limited funds for crisis management and public relations.
Sometimes, the C-suite understands these points, but their resistance may not have anything to do with money or brand trust. Have any of your past IT upgrades caused unexpected problems you needed to address and solve, like software glitches or department-wide downtime? Some organizations don’t welcome upgrades of any kind if they’re afraid it will negatively impact their organization’s productivity. Address this up front and be honest. Chances are, your team is thinking about the last crash and how it inconvenienced them. Provide a realistic timeline for debugging a new system and details about what people can expect during the upgrade.
Focus on education
When it comes to cybersecurity ROI, your biggest job is educating the rest of the company. “It’s always about training, and don’t be oblivious and don’t be naïve,” stated Walid Hejazi, a professor at the University of Toronto. When any employee is a potential weak link that can expose the company to a cyber attack, IT needs to make sure everyone’s on the same page when it comes to cybersecurity.
Give your team information on how data breaches happen, and provide the basic cybersecurity protection the company needs, including an investment in secure devices. While convincing the C-suite is a difficult task, Andrew Stanley, CISO at Phillips and the MIT Sloan panel moderator, believes it’s getting better: “Boards are learning. They need to know—and as it becomes more of a regulatory issue, they want to know,” he said. “Wise CISOs can educate the board and then get the budget they need to do the job.”