“You can pay me today or tomorrow. But tomorrow includes a press release describing that we weren’t proactive in protecting our data and systems.”
– Russ Verbofsky, CIO and CISO, New Mexico Department of Game and Fish
Organizations can adequately fund their security budgets today, or pay in clean up, fines, damages, and bad publicity after a breach. If you evaluate current cybersecurity budgets, numerous companies have decided to pay tomorrow.
You know your company’s data is vulnerable to cyber threats. You lack the staff, or the expertise, to fully cyber-secure your organization and ensure security compliance. You need help. The challenge lies in how to convince your executives or board of directors that cybersecurity is as critical as other operational priorities and is essential to protecting the company’s current profits.
When it comes to implementing an organization-wide cybersecurity plan, security executives such as CISOs and IT Directors often have their hands tied because they need to get buy-in from the executive branch or the board of directors before investing budget. Often, there is a battle between what are deemed profitable business priorities and “unprofitable” cybersecurity investments that protect the bottom-line.
Even in the face of headlines about data breaches, fines, and increased regulations, growth-oriented leaders tend to focus on allocating the budget toward other expenses. However, investing in cybersecurity is an essential business expenditure in the digital economy. So – how do you successfully pitch ISA Cybersecurity’s services to your team so you can get the help and cybersecurity you need?
How to make a successful pitch and avoid your company becoming the next breach headline.
“It’s critical that security and risk management leaders supply board-relevant and business-aligned content that is not hampered by overly technical references.”
– Rob McMillan, Research Director, Gartner
The following is some advice for when you want to make a case for bringing in cybersecurity experts. Because it’s not enough for you to know it’s the necessary thing to do – you must convince them.
1. Keep it simple and high-level.
Speak the executive’s language and steer clear of overly technical explanations and language. Explain what you’re trying to achieve and speak to the key factors of how cybersecurity can support the organization’s primary objectives and better sustain a safe business model. Demonstrate cybersecurity’s involvement with mission-critical operations (and what can happen if adequate cybersecurity isn’t in place) and how bottom-line profits can be directly impacted without proper cybersecurity measures. Treat cybersecurity as you would any other business function and be sure to include the scope of material risks that are being managed and an overview of the vulnerabilities your company faces.
2. Outline the benefits of having experts evaluate your company’s vulnerabilities.
Having cybersecurity (and therefore cyber threat) specialists conduct thorough security testing, and assessments on your system can save time, headaches, and potentially heartbreak in the long run. Cyber threats evolve continuously. It’s our job, at ISA, to stay current on threat trends and the vulnerabilities threat actors are manipulating to gain network access.
ISA Cybersecurity provides security assessment and consultation services such as vulnerability assessment, penetration testing and threat risk assessment to provide an accurate risk-based action plan that can be incorporated into your organization’s strategic security plan.
From those tests, ISA Cybersecurity can recommend a course of action and the best security solutions to make your company safer and ensure you’re doing due diligence regarding security regulation compliance.
3. It’s more than just technology.
It takes more than technology to make your organization cyber-secure. Some processes and policies need to be updated. ISA Cybersecurity has 27-years of experience helping organizations across every industry become cyber-secure. And, while we know each organization is unique and there is no one-size-fits-all technology security solution, we have enough experience to know what works, what doesn’t, and what else needs to change outside of installing the newest technologies.
For example:
· How do you ensure your remote workers are safely logging in and file-sharing?
· Do you have consistent permissions?
· Should you employ a zero-trust policy?
· How do you secure those that often travel for your business?
· Is your password policy adequate?
· Should you rely on two-factor authentication?
· Is biometric identification hackable?
· Should personal mobile devices be permitted for conducting work?
· What happens if an employee clicks on a malicious link – or thinks they may have?
This is just the tip of the slippery cyber iceberg. There are so many areas to consider concerning people, policy, and procedures when implementing cybersecurity strategy.
4. Too many unutilized apps and the wrong solutions can cost you more in the long run.
Application sprawl, defined as the unchecked growth of an IT system, is a real occurrence. Redundant software can be detrimental to competitiveness and cybersecurity. Some of the largest companies have an average of 3,400 applications – which begs the question, how do you secure such a sprawling system? Some of those apps may be storing data and vulnerable to cyber threats unbeknownst to you.
Also, cybersecurity solutions are a significant investment; you don’t want to throw money away selecting the wrong products or buying solutions that fulfil overlapping tasks. ISA Cybersecurity can help ensure you are making sound security choices that are scalable and practical to your business in addition to making sure you’re keeping your sprawl secure.
5. Know your numbers.
Present your team with how much a cyber breach costs on average – the loss in 2019, ultimately depends on the country and the industry but generally spans between $1.25 million to $8.19 million. According to Digital Guardian, data breaches cost companies $150 per record. That number is up over 2018’s figures of $148 average cost of each document, up from $141 in 2017. Companies that have experienced a security breach underperform in the market by more than 15 percent three years later. Employing an incident response team – like the specialists at ISA Cybersecurity, can reduce the average cost of a data breach by $14 per record. Include any other statistics that help to make your case. Use real-life news examples to drive home your point. The aftereffects of Equifax, for example, is scary to many boards.
6. Demonstrate Return on Investment
Again, it comes down to the bottom line. An initial investment today can save far more severe expenditures tomorrow. Use your company as an imagined case study and clearly illustrate your point.
“Cybersecurity strategy needs to be led by the board, executed by the C-Suite and owned at the front lines of the organization.”
Hopefully the team you’re pitching to sees the value that ISA Cybersecurity Inc. brings. If not now, then they might see the value after a breach.
From start to finish, ISA Cybersecurity can help your company assess, strategize, and implement the right security for your company. Contact us for more information – we’d love to help you strengthen your pitch.