Obtaining support for cybersecurity initiatives in the corporate realm demands a delicate approach. If the remaining members of the executive team believe the organization is already safeguarded, acquiring funding for projects can become an uphill task for the Chief Information Security Officer (CISO). Likewise, articulating the need for preventive measures can be a challenging task.
During the ISC2 Security Congress staged in Las Vegas between October 12 to October 16, Jorge Litvin, the founder and CEO of Safe-U, offered insights into presenting security-related discussions in a manner that resonates with executives.
What makes communication between cybersecurity and the boardroom so demanding?
In the absence of effective communication between the CISO and the remaining C-suite members, the entire organization could potentially face adverse repercussions.
According to Litvin, the key to garnering support for cybersecurity endeavors lies in delineating these risks in business-oriented terms. Neglecting to do so could lead to misallocated resources, reduced esteem for the CISO, and diminished team morale due to inadequate support. Moreover, budget allocations are less likely to align with the requisites of the cybersecurity team.
“Their anticipations are beyond what we can realistically achieve with the resources at our disposal, and those resources are dictated by them,” Litvin remarked.
To rectify this, cybersecurity practitioners should engage in conversations utilizing the language of the executives.
“We should always bear in mind that our primary objective is not to shield everything,” Litvin emphasized. “What are the essential business functions that we must safeguard? Focus our requests accordingly.”
Business implications can impact operations, finances, compliance, or reputation. For instance, malevolent actors masquerading as business entities or perpetrating fraud under the company’s banner can tarnish the firm’s reputation.
SEE: Generative AI projects in the UK usually encounter obstacles during the initial planning phase, with data governance presenting a significant hurdle.
5 recommendations for impactful communication
Mirroring the language of the C-suite involves:
- Comprehending the viewpoint of the executives. How occupied is the executive? What are their areas of concern?
- Recognizing the repercussions of threats on core business operations. Articulate cybersecurity challenges concerning how they affect the organization’s capacity to deliver its goods or services.
- Demonstrating to executives how the cybersecurity project will be advantageous for the organization.
- Employing a strong opening (“This meeting will be successful if by the end of it we…”) and closure (“If there’s one thing to retain, it’s this…”) during meetings.
- Conveying brief and straightforward talking points. Additionally, having a concise version prepared if the executive curtails the meeting prematurely.
“Try to illustrate how your initiative serves as a business enhancer,” Litvin advised.
For instance, if the cybersecurity unit intends to integrate a Software as a Service (SaaS) solution to back its personnel, the cybersecurity leader can position the solution to the C-suite as a means to support the organization’s planned expansion into Europe. After all, the solution will showcase the company’s dedication to data protection – a critical aspect for GDPR compliance.
The C-suite might want reassurance that the cybersecurity decision-maker has explored all options before proposing a project or service. Present different avenues to the C-suite and advocate for the one you endorse. It is imperative that the message conveys that the proposed option is the optimal choice for the organization, not a personal preference.
Share concepts with additional board members as well
Securing buy-in necessitates interdepartmental communication. Effective communication with the C-suite entails articulating financial matters in precise terms.
Unsure about the anticipated Return on Investment (ROI) for a cybersecurity initiative? Litvin suggested, “We can approach the financial facets [of the organization] or a consulting firm and request assistance in developing a presentation. Help me determine if this is rational or feasible or if a better alternative exists.”
Illustrate the financial impact of the project using both absolute and relative figures, drawing comparisons between the current state and potential benefits.
Cybersecurity leaders can introduce their initiatives to other board members before meeting the CEO. This will elucidate how the project influences different departments and teams. Solicit their feedback by asking, “How can we collaborate to ensure its success?” Following these discussions, maintain the momentum by following up with them.
Familiarity with business frameworks – such as the Business Model Canvas – can aid cybersecurity professionals in pinpointing the critical aspects to address during a meeting with executives.
Lastly, inspire executives to engage with the existing cybersecurity initiatives within the organization. They can lead by example by participating in Cybersecurity Awareness Month activities. Ensure that managers permit employees to watch cybersecurity training videos instead of merely instructing them to “return to work,” as per Litvin. Ultimately, aligning the cybersecurity unit with broader business objectives can only serve the organization positively. It’s merely a question of using the right language.
Disclaimer: ISC2 covered my airfare, lodging, and some meals for the ISC2 Security Congress event held from October 13 – 16 in Las Vegas.
About Author
