"Cybersecurity is a cost". If you think so, you better have 4 million spare cash in the bank.
In the world of cybersecurity professionals we all know cybersecurity is a business enabler, is driving growth and is fostering creativity through protecting the core and critical assets of the company.
A failproof way to sell cybersecurity!
But we're pretty much the only ones who know. Why? Everyone is all for cybersecurity but when money's involved, all of the sudden cybersecurity is a sunk cost.
How to sell cybersecurity to executives when you have nothing to sell and everything to buy?
SCARE THEM. A LOT. A LOT MORE THAN THAT.
One nice number to keep in mind. After a major disaster affecting the company's assets (cybersecurity incidents or natural catastrophies), half of the companies never reopen. That looks scary but mostly to SMB (Small and Medium Businesses).
The 5-part recipe to get everyone onboard
"I'm a Fortune 50 company, what could possibly happen to me?" A lot. A simple equation for our top MBA graduates running the world :
- Data breach = Strategic data or customers' personal information out for everyone to see
- Strategic data or customers' personal information out for everyone to see = Not Good
- Not Good = Worsened reputation, angry customers, suspicious contractors, falling share price and regulatory costs and fines
- All of this = Less money + the cost to actually fix the holes that lead to the breach
- All of that = Even less money
So what is crystal clear out of all of that (and all of this) is that you need to take cybersecurity seriously. The average cost of data breach in the US is now over 4 million dollars. I'm sure you could put that money to use somewhere else.
Why many board members don't care?
Selling security to the board is a nightmare. Most don't really know tech, let alone cybersecurity. They don't have a lot of time and are already figuring out how to solve a billion problems they know about.
Talking to that demographic is difficult but let's keep in mind they know business and numbers, maybe if we start to talk to them in a language they understand instead of using tech verbiage they might listen.
They mostly care of the reputation of the company, some regulatory threats coming or their financial safety, all of these things could be really shook by a cyberattack. That's some common ground to start changing mentalities.
They have processes to take care of those previous issues in board meetings but nothing is set in stone to deal with cybersecurity. So first, a process needs to enable the CISO (Chief Information Security Officer) to talk to the board and tell them how poorly we rank amongst our competitors on some metrics. This could trigger a reaction, hopefully positive.
If this can't be done, maybe hire a consulting firm that will directly deal with the board and will assess the situation with a stranger's eye and (probably) will come to the same conclusions as the CISO but sometimes someone else has to say it.
Going back to the scary stuff
Many times, we don't respond to numbers and rational arguments that well. We postpone decisions because the risks aren't near and we're not a target (for now). As I was saying before, scaring them is efficient.
Use an event that happened in a company similar to yours. Go through the details of what happened to the now defunct previous top executives. Use emotions and storytelling. The risk will be far greater in their eyes after that. More persuasive than any graph or any chart.
Have processes in place, use external help if needed, change perception through storytelling and use equations.