There has been an age-old debate about the gap between ‘the business’ and ‘IT’. And nowhere is this more acute than when it comes to information security.
The CEO and the rest of the C-suite in the boardroom know that security is important and that the threats in this digital age are increasing. But they often lack the depth of technical knowledge to fully understand the risks to their business and, therefore, what security investments they need to make.
Yet ultimate responsibility for any security breach falls to the top table – some of the big breaches in the past year have led to several C-level executives paying the ultimate price. That’s got to be a wake-up call for any board members who think they can bury their heads in the sand or who believe that IT security is something they don’t need to concern themselves with in any detail.
So, how can the CIO or CISO communicate security risk to the board to justify investment in the necessary technology to protect the business?
It’s good to talk
The first step, of course, is to make it a responsibility for everyone around the boardroom table. A study by McKinsey and the World Economic Forum examined cybersecurity risk management practices with more than 60 of the world’s 500 largest companies. It found that senior management time and attention was the single biggest driver of maturity in managing cybersecurity risks.
Regulation and compliance
Traditionally one of the main reasons for CEOs and CFOs to sign off on security investment is for regulatory compliance. That’s both vertical industry regulations and national or regional legislation, such as the new – still to be finalised – EU General Data Protection Regulation and the EU Cybersecurity Directive. This is likely to be a strong driver in countries with very strict data protection laws, such as Germany and Sweden. There is a danger in just ticking boxes, however, and analyst Gartner warns that being compliant doesn’t necessarily mean your business is secure and says security should be “protection driven”.
CIOs and CISOs have often resorted to fear to try and justify IT security investment. For sure while there is a responsibility to make the board aware of risks, simply touting ‘world might end’ scenarios isn’t the best approach. Gartner studied 300 board presentations on risk and security and comes to the conclusion that using FUD (fear, uncertainty and doubt) to get board support just doesn’t work.“Executives don’t want to hear how bad everything will be if they don’t invest,” says the analyst.
Rather than presenting worse case scenarios and then holding out the security collection tin to the board, the C-suite wants an honest assessment so it can make judgments on what is an acceptable level of risk – locking everything down is both too expensive and impractical. Does the company know what it’s most sensitive data is? Deloitte advises identifying the top information security risks to the business and assigning risk factors to each of them. The board can then make an informed call about where to place its security investment bets.
Business value and ROI
The best language to use to justify security investment to the board, of course, is that of business value and return on investment. Every other department has to use ROI metrics and security shouldn’t be any different. Yet security investment is notoriously difficult to justify in terms of ROI. But CIOs and CISOs can talk about the enabling effects of new security technologies. Think about the example of some banks deploying two-factor authentication, which boosts customer confidence in digital and online services and reduces losses from fraud. Or an oil company using security to connect its smart oil fields to the business infrastructure and avoiding downtime or interruption to oil production.
Don’t baffle the board with dashboards of technical operational security metrics and terrifying breach disaster scenarios. Encourage executives to take a proactive approach to information security by talking the language of the C-suite – risk versus reward and business value. Put the emphasis on security as a business enabler.
Connect with me on Twitter: @GertJanSchenk