Cyber CEO: How to Get Executive and Board Level Buy-In for Cybersecurity

May 27, 2021

In the past, cybersecurity was a technical, IT responsibility. Executive teams and boards prioritized the business, not IT. How can we stay competitive? How can we increase revenue? How can we enhance enterprise operations? The irony is that a strong cybersecurity posture is one of the greatest business-enabling tools an organization can have in its arsenal.

So why the disconnect? The trend of cybersecurity as a business driver rather than a technology issue has been developing for some time -  yet it remains difficult to get executive and board-level buy-in for cybersecurity. For those of you struggling with this, the answer lies in communication. Understanding your audience – specifically their objectives – is the best place to start. Here are my top 3 tips for effectively communicating cyber to your board.

Know Your Audience and Speak Their Language

Conveying the value of cybersecurity investments to people with little to no technical knowledge is difficult and complex. InfoSec professionals tend to describe the benefits of a strong cybersecurity program with technical jargon and acronyms. Unfortunately, this is the best way to lose your audience when pitching cybersecurity to your leadership team. Believe me – I’ve been there ! Having been on both sides of the equation as the infosec executive and the enterprise leader, I can confidently say the key is to speak the language of the executive team and board.  Prepare your pitch by asking yourself:

  • What are the leadership team’s critical business objectives?
  • How will the proposed cybersecurity program enable the critical business objectives?
  • How will the critical business objectives be affected by a cyber breach?

Adjust your pitch to answer these questions and you’ll be speaking their language!

Quantify Your Enterprise Cyber-Risk in Relation to Business Objectives

One of the most difficult questions cyber professionals receive from their leadership teams is: “What will be the return on this investment?” The most effective way to answer is to quantify your enterprise’s cyber risk based on given budgets and define a clear return on investment (ROI). It’s often effective to quantify what your organization stands to lose as the result of not making that critical investment. How much will it cost in finances, employee time, and reputational damage if you were breached?

Set expectations for your executive team and board by:

  • Defining the level of protection that can be assured by varying investments in cybersecurity
  • Identifying the price your business would pay if it were successfully breached
  • Explaining how a cyber-attack would negatively affect critical business operations and bottom-line profits

This will give your leadership team measurable metrics to make an informed decision.

Identify the Right Areas to Invest In

Oftentimes, leadership teams expect their cybersecurity program to cover all areas of risk. In reality, this approach can dilute the protection that high-priority areas should be getting and waste precious budget. Instead, take a data-driven approach to demonstrate an effective and tactical cybersecurity strategy and help the board understand exactly what they will be getting from the investment. Communicate how you intend to balance spend against potential risk outcomes by:

  • Assessing your current security posture and identifying your enterprise’s specific threat vectors. Mapping security controls to industry frameworks like MITRE ATT&CK are a great place to start !
  • Developing a risk/reward equation to build a tiered security approach
  • Providing measurable key performance indicators (KPIs) and a strategy for how to track them

 

I’ve been in this industry for over 30 years, and over time I’ve seen a monumental shift from cybersecurity as a technology problem to a global business driver. Ultimately, your job as a cybersecurity professional is to secure your enterprise – and you can’t do that effectively without executive and board-level buy-in. Today I can confidently say that a strong cybersecurity strategy truly aligns with successful business objectives ! Adjust your communication to best convey the business enabling benefits of cyber investments to position yourself and your team for success.

 

To Your Success, 

I’ve been in infosec for over 30 years and have had the great privilege of evolving and learning as a cybersecurity executive in a space I love. I’m the Founder & CEO of Herjavec Group, one of the world’s most innovative cybersecurity operations leaders. We pride ourselves on keeping enterprises around the world secure from the threat of cybercrime.

This blog has been set up to help me share the insights I’ve gained and experiences I’ve had with all of you…Every month I will post some advice and recommendations for my fellow Cyber CEOs – from current events to forecasted trends, and enterprise security best practices. Make sure to subscribe below and feel free to reach out here with the topics and questions you’d like to see covered!

Let’s collaborate and communicate as we strive to keep our organizations (cyber) safe.

Subscribe below for new issues of Cyber CEO, timely Threat Advisories, and Herjavec Group Thought Leadership 

Take the First Step
In Transforming Your Cybersecurity Program

Enterprise security teams are adapting to meet evolving business needs. With 5 global Security Operations Centers, emerging technology partners and a dedicated team of security specialists, Herjavec Group is well-positioned to be your organization’s trusted advisor in cybersecurity. We’ll help you understand your risk exposure, increase your visibility and ROI, and proactively hunt for the latest threats.

Book a Free Consultation

Stay Informed

Follow us on Twitter
Connect with us on LinkedIn