The constant battle to keep cybercriminals at bay has become a board-level concern in recent years, with defence expenditure trending ever upwards. In a tough trading period for most companies, cybersecurity budgets have largely been spared the axe, but business leaders won’t keep throwing money at the problem without a clear idea of the return on this considerable investment.
It’s therefore down to data security chiefs to explain the risks clearly and make the case for continued investment clear to their boards and C-suite colleagues, most of whom won’t have in-depth knowledge of the subject.
Get personal with your communications
This is even more of a communication challenge for CISOs when their audiences of senior stakeholders are focused on the bottom line. Cybersecurity doesn’t generate revenue; it mitigates the risk of incurring unbudgeted costs, much like an insurance policy.
It’s harder to demonstrate the value of something that averts a negative outcome compared to something that produces positive results, notes Gerard McGovern, director of digital strategy at the Tony Blair Institute for Global Change.
“Proving ROI is a challenge, because that is more the cost of not doing something,” he says. “The cost for prevention is nearly always far less than the outlay required in the aftermath of any attack.”
McGovern would advise CISOs to remove technical details from their explanations and make the subject as relatable as possible by reframing it.
“No one questions the need for locks and alarm systems when it comes to buildings – and it should be no different with cybersecurity,” he says. “It’s easy to point at the numerous breaches that have cost their victims millions, but that can still often be too abstract. It’s better to personalise it to your organisation and explain what the potential impact would be on each of its teams.”
Data security chiefs should therefore present their case in compelling terms that the rest of the C-suite can understand. But this is easier said than done, according to Mark Wantling, CIO at the University of Salford. He believes that IT professionals typically aren’t adept at speaking the language of business. As a result, cybersecurity is “still considered unapproachably technical and something of a dark art by many”.
But Wantling adds that there are other effective ways to highlight the need for continued defence spending.
“I’ve taken to giving stakeholders live tours of the dark web. Eyes are really opened when the board sees C-level credentials for sale, hackers offering their services for as little as $2,000 and leak sites flaunting data lost to ransomware attacks,” he says. “These methods demonstrate how easily poor cybersecurity can result in a breach and the potential ROI for attackers. It’s not only the company’s IT that’s affected; the firm’s reputation and bottom line are also at stake.”
Make cybersecurity about business strategy, not about tech
The ability to attach any cybersecurity investment to the enterprise’s strategic objectives is key to creating a powerful argument.
“When discussing anything with financially minded stakeholders, whose primary concerns are sales and operations, you must look at the organisation through their lens,” Wantling stresses. “I like to put a figure on the impact of a system outage. Our business is seasonal. If an attack were to strike home during the university’s two-day clearing period, that could mean a £30m annual loss of revenue for three years. This hard figure is what I take to the board.”
Similarly, Amanda Finch, CEO of the Chartered Institute of Information Security, argues that cybersecurity must demonstrate its value as a strategic asset to prove its worth to business leaders.
“At a minimum, this means ensuring that the right key performance indicators are applied,” she says. “So, instead of being measured against statistics such as the number of breaches prevented, which could largely be down to luck (and in an ideal situation will be zero because of proper risk management), security should be measured against factors such as how many strategic partnerships it has enabled and business transformation projects it has supported.”
Asam Malik is a partner at French auditing giant Mazars who leads its technology and digital practice in the UK. He also advocates linking cybersecurity investments to business outcomes. A bonus of this approach is that it’s unlikely to cause any C-suite colleagues or board members any embarrassment over their lack of technical knowledge.
Malik says that, when he has written a cybersecurity investment plan, he has “mapped it to a business strategy that states ‘our strategy is to grow, maintain our customers, derive more profit from our existing customer base’ and so on. You explain how your cybersecurity plan will help the business to achieve those objectives.”
When expressed this way, it’s less likely to be viewed as “a chunk of money just spent on tech”, he adds.
Cybersecurity as a unique selling proposition
If communicated correctly, an organisation’s stance on cybersecurity can even be turned into a selling point, Malik suggests.
“It’s obvious to say things such as: ‘If we don’t do this, we could let an attack through and earn us a bad reputation, causing our business to suffer.’ That is true, but what we don’t often mention is the other side of it: if an organisation does cybersecurity really well, it can turn this into a unique selling proposition,” he says.
“If we’re one of those firms that holds all the accreditations and does scenario planning and regular testing, that could be a USP, as many organisations will pay more for that comfort. If execs have two or three suppliers to choose from and there’s a little nervousness concerning cybersecurity, say, they’ll pick the one in which they feel most confident.”
The one big lesson for CISOs to take from all this is: don’t make the conversation about technology risk, because an audience of business leaders will lose interest and you will lose them. Talking about the bigger strategic implications will guarantee a more successful engagement with those with the power to determine how much – or how little – is going to be spent on cybersecurity.